Thread: vBulletin SQL Injection Vulnerability
View Single Post
  #1  
Old 11-11-2004, 11:44 AM
MrEyes MrEyes is offline
 
Join Date: Nov 2004
Posts: 380
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default vBulletin SQL Injection Vulnerability
I have just installed :

vBulletin 3.0.3
Apache 2
PHP 5
MySql 4.1.7
VB 3.0.3

After installation was completed and the forum was setup and working correctly, I ran a Nessus venerability scan (http://www.nessus.org/). The report returned the following items which are a little "interesting" (the really interesting bits are highlighted)

I have encountered false positives with Nessus before, so should I be concerned about these (especially considering that one section suggests upgrading to VB 3.0.4 which AFAIK doesnt exist in the public domain)

Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/forumdisplay.php?f='UNION'
/forumdisplay.php?f='UNION'
/forumdisplay.php?f='
/forumdisplay.php?f='
/forumdisplay.php?f='%22
/forumdisplay.php?f='%22
/forumdisplay.php?f=9%2c+9%2c+9
/forumdisplay.php?f=9%2c+9%2c+9
/forumdisplay.php?f='bad_bad_value
/forumdisplay.php?f='bad_bad_value
/forumdisplay.php?f=bad_bad_value'
/forumdisplay.php?f=bad_bad_value'
/forumdisplay.php?f='+OR+'
/forumdisplay.php?f='+OR+'
/forumdisplay.php?f='WHERE
/forumdisplay.php?f='WHERE
/forumdisplay.php?f=%3B
/forumdisplay.php?f=%3B
/forumdisplay.php?f='OR
/forumdisplay.php?f='OR
/forumdisplay.php?f=' or 1=1--
/forumdisplay.php?f= or 1=1--
/forumdisplay.php?f=' or 'a'='a
/forumdisplay.php?f=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/calendar.php?s='UNION'
/calendar.php?s='UNION'
/calendar.php?s='
/calendar.php?s='
/calendar.php?s='%22
/calendar.php?s='%22
/calendar.php?s=9%2c+9%2c+9
/calendar.php?s=9%2c+9%2c+9
/calendar.php?s='bad_bad_value
/calendar.php?s='bad_bad_value
/calendar.php?s=bad_bad_value'
/calendar.php?s=bad_bad_value'
/calendar.php?s='+OR+'
/calendar.php?s='+OR+'
/calendar.php?s='WHERE
/calendar.php?s='WHERE
/calendar.php?s=%3B
/calendar.php?s=%3B
/calendar.php?s='OR
/calendar.php?s='OR
/calendar.php?s=' or 1=1--
/calendar.php?s= or 1=1--
/calendar.php?s=' or 'a'='a
/calendar.php?s=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/memberlist.php?s='UNION'
/memberlist.php?s='UNION'
/memberlist.php?s='
/memberlist.php?s='
/memberlist.php?s='%22
/memberlist.php?s='%22
/memberlist.php?s=9%2c+9%2c+9
/memberlist.php?s=9%2c+9%2c+9
/memberlist.php?s='bad_bad_value
/memberlist.php?s='bad_bad_value
/memberlist.php?s=bad_bad_value'
/memberlist.php?s=bad_bad_value'
/memberlist.php?s='+OR+'
/memberlist.php?s='+OR+'
/memberlist.php?s='WHERE
/memberlist.php?s='WHERE
/memberlist.php?s=%3B
/memberlist.php?s=%3B
/memberlist.php?s='OR
/memberlist.php?s='OR
/memberlist.php?s=' or 1=1--
/memberlist.php?s= or 1=1--
/memberlist.php?s=' or 'a'='a
/memberlist.php?s=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The remote host is running vBulletin, a web based bulletin board system
written in PHP.

The remote version of this software is vulnerable to a cross-site scripting
issue, due to a failure of the application to properly sanitize user-supplied
URI input.

As a result of this vulnerability, it is possible for a remote attacker
to create a malicious link containing script code that will be executed
in the browser of an unsuspecting user when followed.

This may facilitate the theft of cookie-based authentication credentials
as well as other attacks.

Solution : Upgrade to vBulletin 3.0.2 or newer
Risk factor : Medium
CVE : CAN-2004-0620
BID : 10612, 10602
Other references : OSVDB:7256
Nessus ID : 14792
Quote:
Vulnerability www (80/tcp)
The remote host is running vBulletin, a web based bulletin board system
written in PHP.

The remote version of this software is vulnerable to a cross-site scripting
issue, due to a failure of the application to properly sanitize user-supplied
URI input.

As a result of this vulnerability, it is possible for a remote attacker
to create a malicious link containing script code that will be executed
in the browser of an unsuspecting user when followed.

This may facilitate the theft of cookie-based authentication credentials
as well as other attacks.

Solution : Upgrade to vBulletin 3.0.2 or newer
Risk factor : Medium
CVE : CAN-2004-0620
BID : 10612, 10602
Other references : OSVDB:7256
Nessus ID : 14792
Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/login.php?forceredirect='UNION'
/login.php?forceredirect='UNION'
/login.php?forceredirect='
/login.php?forceredirect='
/login.php?forceredirect='%22
/login.php?forceredirect='%22
/login.php?forceredirect=9%2c+9%2c+9
/login.php?forceredirect=9%2c+9%2c+9
/login.php?forceredirect='bad_bad_value
/login.php?forceredirect='bad_bad_value
/login.php?forceredirect=bad_bad_value'
/login.php?forceredirect=bad_bad_value'
/login.php?forceredirect='+OR+'
/login.php?forceredirect='+OR+'
/login.php?forceredirect='WHERE
/login.php?forceredirect='WHERE
/login.php?forceredirect=%3B
/login.php?forceredirect=%3B
/login.php?forceredirect='OR
/login.php?forceredirect='OR
/login.php?forceredirect=' or 1=1--
/login.php?forceredirect= or 1=1--
/login.php?forceredirect=' or 'a'='a
/login.php?forceredirect=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/register.php?do='UNION'
/register.php?do='UNION'
/register.php?do='
/register.php?do='
/register.php?do='%22
/register.php?do='%22
/register.php?do=9%2c+9%2c+9
/register.php?do=9%2c+9%2c+9
/register.php?do='bad_bad_value
/register.php?do='bad_bad_value
/register.php?do=bad_bad_value'
/register.php?do=bad_bad_value'
/register.php?do='+OR+'
/register.php?do='+OR+'
/register.php?do='WHERE
/register.php?do='WHERE
/register.php?do=%3B
/register.php?do=%3B
/register.php?do='OR
/register.php?do='OR
/register.php?do=' or 1=1--
/register.php?do= or 1=1--
/register.php?do=' or 'a'='a
/register.php?do=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/sendmessage.php?s='UNION'
/sendmessage.php?s='UNION'
/sendmessage.php?s='
/sendmessage.php?s='
/sendmessage.php?s='%22
/sendmessage.php?s='%22
/sendmessage.php?s=9%2c+9%2c+9
/sendmessage.php?s=9%2c+9%2c+9
/sendmessage.php?s='bad_bad_value
/sendmessage.php?s='bad_bad_value
/sendmessage.php?s=bad_bad_value'
/sendmessage.php?s=bad_bad_value'
/sendmessage.php?s='+OR+'
/sendmessage.php?s='+OR+'
/sendmessage.php?s='WHERE
/sendmessage.php?s='WHERE
/sendmessage.php?s=%3B
/sendmessage.php?s=%3B
/sendmessage.php?s='OR
/sendmessage.php?s='OR
/sendmessage.php?s=' or 1=1--
/sendmessage.php?s= or 1=1--
/sendmessage.php?s=' or 'a'='a
/sendmessage.php?s=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/faq.php?s='UNION'
/faq.php?s='UNION'
/faq.php?s='
/faq.php?s='
/faq.php?s='%22
/faq.php?s='%22
/faq.php?s=9%2c+9%2c+9
/faq.php?s=9%2c+9%2c+9
/faq.php?s='bad_bad_value
/faq.php?s='bad_bad_value
/faq.php?s=bad_bad_value'
/faq.php?s=bad_bad_value'
/faq.php?s='+OR+'
/faq.php?s='+OR+'
/faq.php?s='WHERE
/faq.php?s='WHERE
/faq.php?s=%3B
/faq.php?s=%3B
/faq.php?s='OR
/faq.php?s='OR
/faq.php?s=' or 1=1--
/faq.php?s= or 1=1--
/faq.php?s=' or 'a'='a
/faq.php?s=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The remote host is running vBulletin, a web based bulletin board system written
in PHP.

The remote version of this software is vulnerable to a SQL injection issue. It is
reported that versions 3.0.0 through to 3.0.3 are prone to this issue. An attacker
may exploit this flaw to gain the control of the remote database.

See also : http://secunia.com/advisories/12531/
Solution : Upgrade to vBulletin 3.0.4 or newer
Risk factor : High
BID : 11193
Nessus ID : 14785
Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/index.php?s='UNION'
/index.php?s='UNION'
/index.php?s='
/index.php?s='
/index.php?s='%22
/index.php?s='%22
/index.php?s=9%2c+9%2c+9
/index.php?s=9%2c+9%2c+9
/index.php?s='bad_bad_value
/index.php?s='bad_bad_value
/index.php?s=bad_bad_value'
/index.php?s=bad_bad_value'
/index.php?s='+OR+'
/index.php?s='+OR+'
/index.php?s='WHERE
/index.php?s='WHERE
/index.php?s=%3B
/index.php?s=%3B
/index.php?s='OR
/index.php?s='OR
/index.php?s=' or 1=1--
/index.php?s= or 1=1--
/index.php?s=' or 'a'='a
/index.php?s=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The remote host is running vBulletin, a web based bulletin board system written
in PHP.

The remote version of this software is vulnerable to a SQL injection issue. It is
reported that versions 3.0.0 through to 3.0.3 are prone to this issue. An attacker
may exploit this flaw to gain the control of the remote database.

See also : http://secunia.com/advisories/12531/
Solution : Upgrade to vBulletin 3.0.4 or newer
Risk factor : High
BID : 11193
Nessus ID : 14785
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01270 seconds
  • Memory Usage 1,837KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (12)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete