vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   vb eval() -- huh? (https://vborg.vbsupport.ru/showthread.php?t=51490)

loOll 04-11-2003 08:24 PM
vb eval() -- huh?
 
I'm currently going through the source code of vB 2.3.0, and I'm confused by all the eval'ed statements I'm finding (especially in functions.php). Example:

eval("\$customfields .= \"".gettemplate("getinfo_customfields")."\";");

This seems not only unneccesary, but dangerous. There's too much trust being placed upon the gettemplate function and the table data it pulls it's results from. Is there any benefit to doing this which perhaps I've missed?

filburt1 04-11-2003 08:34 PM
It allows you to use variables in templates.

Xenon 04-11-2003 08:59 PM
nothing is dangerous, because the templates are just saved in strings and not parsed directly (except phpinclude)

how eval works can be seen in php.net function list

loOll 04-11-2003 09:27 PM
Filburt, excuse my continued confusion, but how is:

PHP Code:
eval("\$customfields .= \"".gettemplate("getinfo_customfields")."\";"); 
different than:
PHP Code:
$customfields .= gettemplate("getinfo_customfields"); 
Xenon, I should have explained a bit more. Same example:

PHP Code:
eval("\$customfields .= \"".gettemplate("getinfo_customfields")."\";"); 
If gettemplate returns -- "; system("blah"); // -- you have a statement which evaluates to something like:

PHP Code:
eval('$customfields .= ""; system("blah"); // ";'); 
When that's eval'ed, the command `blah` is run. This is of course a potential vulnerability, and depends upon another vulnerability in vB which either lets one taint $templatecache or modify a template row (which may be a vulnerability in another webapp that uses the same database). Being able to run system commands is more dangerous than a typical sql injection vulnerability.

I see the risk here, but not the benefit.

filburt1 04-11-2003 09:36 PM
http://www.php.net/eval

Read the two things that it does. It doesn't just execute code.

Xenon 04-11-2003 10:53 PM
@loOL:
look at the code more exactly.

if gettemplate returns -- "; system("blah");

it will end up in this:

$bla = " ---\"; system(\"blah\"); ";

there's addslashed in gettemplate, just if you don't want em in you can call gettemplate in another way..

loOll 04-11-2003 11:54 PM
Quote:
Today at 07:47 PM Xenon said this in Post #6
there's addslashed in gettemplate, just if you don't want em in you can call gettemplate in another way..
After actually installing vBulletin and examining the database rows it was pulling template data from, everything became clear. As a Smarty user, I must say I still find the eval() template system odd. I'm likely going to be hacking the codebase to use Smarty and Pear DB before deploying it on my site.

Thanks for the help.

filburt1 04-12-2003 12:28 AM
Quote:
Today at 08:48 PM loOll said this in Post #7
After actually installing vBulletin and examining the database rows it was pulling template data from, everything became clear. As a Smarty user, I must say I still find the eval() template system odd. I'm likely going to be hacking the codebase to use Smarty and Pear DB before deploying it on my site.

Thanks for the help.

You may be rewriting half of vBulletin then because there are at least two "special" templates that I can think of that do not work like normal templates.

Link14716 04-12-2003 10:13 PM
phpinclude, options, birthdays, and maxloggedin.

I think those are the 4 templates that aren't normal templates. ;)

Xenon 04-13-2003 04:04 PM
just phpinclude and options count, because these are really evaled ;)

the other two, are also somehow special, but in another way ;)


All times are GMT. The time now is 10:09 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01187 seconds
  • Memory Usage 1,737KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_php_printable
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete