Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 04-11-2003, 08:24 PM
loOll loOll is offline
 
Join Date: Apr 2003
Location: Portsmouth, NH
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default vb eval() -- huh?

I'm currently going through the source code of vB 2.3.0, and I'm confused by all the eval'ed statements I'm finding (especially in functions.php). Example:

eval("\$customfields .= \"".gettemplate("getinfo_customfields")."\";");

This seems not only unneccesary, but dangerous. There's too much trust being placed upon the gettemplate function and the table data it pulls it's results from. Is there any benefit to doing this which perhaps I've missed?
Reply With Quote
  #2  
Old 04-11-2003, 08:34 PM
filburt1 filburt1 is offline
 
Join Date: Feb 2002
Location: Maryland, US
Posts: 6,144
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It allows you to use variables in templates.
Reply With Quote
  #3  
Old 04-11-2003, 08:59 PM
Xenon's Avatar
Xenon Xenon is offline
 
Join Date: Oct 2001
Location: Bavaria
Posts: 12,878
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

nothing is dangerous, because the templates are just saved in strings and not parsed directly (except phpinclude)

how eval works can be seen in php.net function list
Reply With Quote
  #4  
Old 04-11-2003, 09:27 PM
loOll loOll is offline
 
Join Date: Apr 2003
Location: Portsmouth, NH
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Filburt, excuse my continued confusion, but how is:

PHP Code:
eval("\$customfields .= \"".gettemplate("getinfo_customfields")."\";"); 
different than:
PHP Code:
$customfields .= gettemplate("getinfo_customfields"); 
Xenon, I should have explained a bit more. Same example:

PHP Code:
eval("\$customfields .= \"".gettemplate("getinfo_customfields")."\";"); 
If gettemplate returns -- "; system("blah"); // -- you have a statement which evaluates to something like:

PHP Code:
eval('$customfields .= ""; system("blah"); // ";'); 
When that's eval'ed, the command `blah` is run. This is of course a potential vulnerability, and depends upon another vulnerability in vB which either lets one taint $templatecache or modify a template row (which may be a vulnerability in another webapp that uses the same database). Being able to run system commands is more dangerous than a typical sql injection vulnerability.

I see the risk here, but not the benefit.
Reply With Quote
  #5  
Old 04-11-2003, 09:36 PM
filburt1 filburt1 is offline
 
Join Date: Feb 2002
Location: Maryland, US
Posts: 6,144
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

http://www.php.net/eval

Read the two things that it does. It doesn't just execute code.
Reply With Quote
  #6  
Old 04-11-2003, 10:53 PM
Xenon's Avatar
Xenon Xenon is offline
 
Join Date: Oct 2001
Location: Bavaria
Posts: 12,878
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

@loOL:
look at the code more exactly.

if gettemplate returns -- "; system("blah");

it will end up in this:

$bla = " ---\"; system(\"blah\"); ";

there's addslashed in gettemplate, just if you don't want em in you can call gettemplate in another way..
Reply With Quote
  #7  
Old 04-11-2003, 11:54 PM
loOll loOll is offline
 
Join Date: Apr 2003
Location: Portsmouth, NH
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Today at 07:47 PM Xenon said this in Post #6
there's addslashed in gettemplate, just if you don't want em in you can call gettemplate in another way..
After actually installing vBulletin and examining the database rows it was pulling template data from, everything became clear. As a Smarty user, I must say I still find the eval() template system odd. I'm likely going to be hacking the codebase to use Smarty and Pear DB before deploying it on my site.

Thanks for the help.
Reply With Quote
  #8  
Old 04-12-2003, 12:28 AM
filburt1 filburt1 is offline
 
Join Date: Feb 2002
Location: Maryland, US
Posts: 6,144
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Today at 08:48 PM loOll said this in Post #7
After actually installing vBulletin and examining the database rows it was pulling template data from, everything became clear. As a Smarty user, I must say I still find the eval() template system odd. I'm likely going to be hacking the codebase to use Smarty and Pear DB before deploying it on my site.

Thanks for the help.

You may be rewriting half of vBulletin then because there are at least two "special" templates that I can think of that do not work like normal templates.
Reply With Quote
  #9  
Old 04-12-2003, 10:13 PM
Link14716's Avatar
Link14716 Link14716 is offline
 
Join Date: Jun 2002
Location: Georgia, USA
Posts: 2,519
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

phpinclude, options, birthdays, and maxloggedin.

I think those are the 4 templates that aren't normal templates.
Reply With Quote
  #10  
Old 04-13-2003, 04:04 PM
Xenon's Avatar
Xenon Xenon is offline
 
Join Date: Oct 2001
Location: Bavaria
Posts: 12,878
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

just phpinclude and options count, because these are really evaled

the other two, are also somehow special, but in another way
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 06:18 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04680 seconds
  • Memory Usage 2,257KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete