The Arcive of Official vBulletin Modifications Site.

loOll · #1 04-11-2003, 08:24 PM

I'm currently going through the source code of vB 2.3.0, and I'm confused by all the eval'ed statements I'm finding (especially in functions.php). Example:

eval("\$customfields .= \"".gettemplate("getinfo_customfields")."\";");

This seems not only unneccesary, but dangerous. There's too much trust being placed upon the gettemplate function and the table data it pulls it's results from. Is there any benefit to doing this which perhaps I've missed?

filburt1 · #2 04-11-2003, 08:34 PM

It allows you to use variables in templates.

Xenon · #3 04-11-2003, 08:59 PM

nothing is dangerous, because the templates are just saved in strings and not parsed directly (except phpinclude)

how eval works can be seen in php.net function list

loOll · #4 04-11-2003, 09:27 PM

Filburt, excuse my continued confusion, but how is:

PHP Code:


			
eval("\$customfields .= \"".gettemplate("getinfo_customfields")."\";");

different than:

PHP Code:


			
$customfields .= gettemplate("getinfo_customfields");

Xenon, I should have explained a bit more. Same example:

PHP Code:


			
eval("\$customfields .= \"".gettemplate("getinfo_customfields")."\";");

If gettemplate returns -- "; system("blah"); // -- you have a statement which evaluates to something like:

PHP Code:


			
eval('$customfields .= ""; system("blah"); // ";');

When that's eval'ed, the command `blah` is run. This is of course a potential vulnerability, and depends upon another vulnerability in vB which either lets one taint $templatecache or modify a template row (which may be a vulnerability in another webapp that uses the same database). Being able to run system commands is more dangerous than a typical sql injection vulnerability.

I see the risk here, but not the benefit.

filburt1 · #5 04-11-2003, 09:36 PM

http://www.php.net/eval

Read the two things that it does. It doesn't just execute code.

Xenon · #6 04-11-2003, 10:53 PM

@loOL:
look at the code more exactly.

if gettemplate returns -- "; system("blah");

it will end up in this:

$bla = " ---\"; system(\"blah\"); ";

there's addslashed in gettemplate, just if you don't want em in you can call gettemplate in another way..

loOll · #7 04-11-2003, 11:54 PM

Quote:

Today at 07:47 PM Xenon said this in Post #6
there's addslashed in gettemplate, just if you don't want em in you can call gettemplate in another way..

After actually installing vBulletin and examining the database rows it was pulling template data from, everything became clear. As a Smarty user, I must say I still find the eval() template system odd. I'm likely going to be hacking the codebase to use Smarty and Pear DB before deploying it on my site.

Thanks for the help.

filburt1 · #8 04-12-2003, 12:28 AM

Quote:

Today at 08:48 PM loOll said this in Post #7
After actually installing vBulletin and examining the database rows it was pulling template data from, everything became clear. As a Smarty user, I must say I still find the eval() template system odd. I'm likely going to be hacking the codebase to use Smarty and Pear DB before deploying it on my site.

Thanks for the help.

You may be rewriting half of vBulletin then because there are at least two "special" templates that I can think of that do not work like normal templates.

Link14716 · #9 04-12-2003, 10:13 PM

phpinclude, options, birthdays, and maxloggedin.

I think those are the 4 templates that aren't normal templates.

Xenon · #10 04-13-2003, 04:04 PM

just phpinclude and options count, because these are really evaled

the other two, are also somehow special, but in another way

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04089 seconds Memory Usage 2,253KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (4)bbcode_php (2)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!