|
Brought to you by:
Suppliers of:
|
|
|
| |
"vBulletin is a powerful, scalable and fully customizable forums package for your web site. It has been written using the Web's quickest-growing scripting language; PHP, and is complimented with a highly efficient and ultra fast back-end database engine built using MySQL."
vBulletin is prone to an SQL injection vulnerability due to improper use of POST variables when attempting to verify a user's subscription. |
| |
Credit:
The information has been provided by al3ndaleeb.
|
| |
Vulnerable Systems:
* vBulletin version 3.0 up to and including version 3.0.3
In a typical SQL injection scenario, variables from HTTP requests such as GET and POST are directly passed to an SQL query, allowing the malicious attacker to insert additional SQL commands, thereby concatenating additional commands to the original. A code snippet from vBulletin's code clearly shows the problem:
error_reporting(E_ALL & ~E_NOTICE);
define('NO_REGISTER_GLOBALS', 1);
define('SESSION_BYPASS', 1);
$phrasegroups = array();
$specialtemplates = array();
chdir('./../');
require('./includes/init.php');
require('./includes/functions.php');
require('./includes/adminfunctions.php');
require('./includes/functions_subscriptions.php');
$check_hash = strtoupper(md5($vboptions['authorize_loginid'] . $_POST['x_trans_id'] . $_POST['x_amount']));
if ($check_hash == $_POST['x_MD5_Hash'] AND $_POST['x_response_code'] == 1)
{
$item_number = explode('_', $_POST['x_invoice_num']);
$subscriptionid = intval($item_number[0]);
if (empty($item_number[1]) OR empty($item_number[2]))
{ // non vBulletin subscription
exit;
}
$userid = $DB_site->query_first("SELECT userid, languageid, styleid FROM " . TABLE_PREFIX . "user WHERE userid = " . $item_number[1]);
It is easily seen that the $item_number[1] variable is take from the POST request and passed directly into the SQL query, thus facilitating SQL injection.
|
|
|
|
|
