[Full-Disclosure] : [SCAN Associates Security Advisory] vbulletin 3.0.6 and below php code injection

2005-02-22T00:00:00
ID SECURITYVULNS:DOC:7889
Type securityvulns
Reporter Securityvulns
Modified 2005-02-22T00:00:00

Description

Summary: vbulletin 3.0.6 and below php code injection

Description

vBulletin is a powerful, scalable and fully customizable forums package for your web site. It has been written using the Web's quickest-growing scripting language; PHP, and is complimented with a highly efficient and ultra fast back-end database engine built using MySQL.

Details

User may inject php code using "nested variable" into template name when "Add Template Name in HTML Comments" is enable. This option is not enable by default and is not recomended by vbulletin for production environment. The problem occur when user may supply partial template name through misc.php.

Workaround

Disable "Add Template Name in HTML Comments" option.

Proof of concept

http://site.com/misc.php?do=page&template={${phpinfo()}}

Vendor Response

17th February 2005 - Vulnerability found 18th February 2005 - vbulletin developer informed 19th February 2005 - vbulletin developer confirmed 20th February 2005 - Fix Available from vbulletin team


Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html