Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

[SCAN Associates Security Advisory] vbulletin 3.0.6 and below php code injection
From: pokley <pokleyzz () scan-associates net>
Date: Mon, 21 Feb 2005 11:01:02 +0800
Summary: vbulletin 3.0.6 and below php code injection

Description
===========
vBulletin is a powerful, scalable and fully customizable forums package for your web site. It has been written using the Web's quickest-growing scripting language; PHP, and is complimented with a highly efficient and ultra fast back-end database engine built using MySQL. 

Details
=======
User may inject php code using "nested variable" into template name when "Add Template Name in HTML Comments" is enable. This option is not enable by default and is not recomended by vbulletin for production environment. The problem occur when user may supply partial template name through misc.php. 


Workaround
==========
Disable "Add Template Name in HTML Comments" option.

Proof of concept
================
http://site.com/misc.php?do=page&template={${phpinfo()}}

Vendor Response
===============
17th February 2005 - Vulnerability found
18th February 2005 - vbulletin developer informed
19th February 2005 - vbulletin developer confirmed
20th February 2005 - Fix Available from vbulletin team

  By Date           By Thread  

Current thread:
  • [SCAN Associates Security Advisory] vbulletin 3.0.6 and below php code injection pokley (Feb 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]