The Arcive of Official vBulletin Modifications Site.

TheAdmiral · #1 03-04-2012, 10:55 PM

I'm just an admin at a site running 3.8.5; I don't have the licensing info, so I couldn't post this in the proper forum. I'm sorry.

I've recently discovered a PHP injection scheme using the "Upload from URL" feature.

Here's the scenario:

1) Someone creates a URL on their own server that looks like an image url (allowed attachment type).

2) Their server dynamically changes the mime content type to txt/php.

3) Once the attachment is uploaded, the user can run the script directly out of their attachments folder... eg... user ID of 123... script name of exploit.php gives--

www.yourserver.com/attachments/1/2/3/exploit.php

Maybe this has been reported before; but we've had a script kiddie inject an email script into our server, and he's been sending spam from it.

Maybe there's another way to get a php file uploaded through the attachments--we're certainly not allowing any php extensions in our allowed extensions.

Thanks
F.

Disasterpiece · #2 03-04-2012, 11:24 PM

.php extension shouldn't really be allowed to be uploaded.

In a sane environment, the attachment directory shouldn't be accessible from the web as well.
It's not really a security hole, rather than the way php scripts work combined with poor server/forum configuration which makes misuse possible.

TheAdmiral · #3 03-05-2012, 12:39 AM

Thanks.

Perhaps we can have our host restrict browsing in the attachments folder (which is in side the httpdocs--document root, making it accessible through http)

--------------- Added [DATE]1330925858[/DATE] at [TIME]1330925858[/TIME] ---------------

A little more investigation led me here:

https://www.vbulletin.com/forum/show...t-please-check

That script is similar to the one we found on our site (twice).

We've put .htaccess files in the custom* directories, as well as the root of the attachments directory. Hopefully that will deny all future access to injected PHP on the forum.

Thanks again,
F

DivisionByZero · #4 03-05-2012, 06:51 AM

This is why it's long been the standard that the attachments repository be located outside the webroot. As a temporary measure, it's best to disable the PHP interpreter altogether for the attachments directory. This means that no matter what extension a file is masqueraded as, the PHP executable will not parse it.

Disasterpiece · #5 03-05-2012, 10:03 AM

http://php.net/manual/en/apache.configuration.php
http://www.electrictoolbox.com/disab...ache-htaccess/
https://www.vbulletin.com/docs/html/...rage_db_to_fs1

TheAdmiral · #6 03-05-2012, 03:40 PM

Thanks guys. Seems the configuration was fubar from the start. If it were me, we'd start over.
We're good now, though.

Paul M · #7 03-05-2012, 04:21 PM

Title updated to avoid confusion.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.05972 seconds Memory Usage 2,218KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (7)post_thanks_box (7)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (7)post_thanks_postbit_info (7)postbit (7)postbit_onlinestatus (7)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!