Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 11-11-2004, 11:44 AM
MrEyes MrEyes is offline
 
Join Date: Nov 2004
Posts: 380
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default vBulletin SQL Injection Vulnerability

I have just installed :

vBulletin 3.0.3
Apache 2
PHP 5
MySql 4.1.7
VB 3.0.3

After installation was completed and the forum was setup and working correctly, I ran a Nessus venerability scan (http://www.nessus.org/). The report returned the following items which are a little "interesting" (the really interesting bits are highlighted)

I have encountered false positives with Nessus before, so should I be concerned about these (especially considering that one section suggests upgrading to VB 3.0.4 which AFAIK doesnt exist in the public domain)

Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/forumdisplay.php?f='UNION'
/forumdisplay.php?f='UNION'
/forumdisplay.php?f='
/forumdisplay.php?f='
/forumdisplay.php?f='%22
/forumdisplay.php?f='%22
/forumdisplay.php?f=9%2c+9%2c+9
/forumdisplay.php?f=9%2c+9%2c+9
/forumdisplay.php?f='bad_bad_value
/forumdisplay.php?f='bad_bad_value
/forumdisplay.php?f=bad_bad_value'
/forumdisplay.php?f=bad_bad_value'
/forumdisplay.php?f='+OR+'
/forumdisplay.php?f='+OR+'
/forumdisplay.php?f='WHERE
/forumdisplay.php?f='WHERE
/forumdisplay.php?f=%3B
/forumdisplay.php?f=%3B
/forumdisplay.php?f='OR
/forumdisplay.php?f='OR
/forumdisplay.php?f=' or 1=1--
/forumdisplay.php?f= or 1=1--
/forumdisplay.php?f=' or 'a'='a
/forumdisplay.php?f=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/calendar.php?s='UNION'
/calendar.php?s='UNION'
/calendar.php?s='
/calendar.php?s='
/calendar.php?s='%22
/calendar.php?s='%22
/calendar.php?s=9%2c+9%2c+9
/calendar.php?s=9%2c+9%2c+9
/calendar.php?s='bad_bad_value
/calendar.php?s='bad_bad_value
/calendar.php?s=bad_bad_value'
/calendar.php?s=bad_bad_value'
/calendar.php?s='+OR+'
/calendar.php?s='+OR+'
/calendar.php?s='WHERE
/calendar.php?s='WHERE
/calendar.php?s=%3B
/calendar.php?s=%3B
/calendar.php?s='OR
/calendar.php?s='OR
/calendar.php?s=' or 1=1--
/calendar.php?s= or 1=1--
/calendar.php?s=' or 'a'='a
/calendar.php?s=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/memberlist.php?s='UNION'
/memberlist.php?s='UNION'
/memberlist.php?s='
/memberlist.php?s='
/memberlist.php?s='%22
/memberlist.php?s='%22
/memberlist.php?s=9%2c+9%2c+9
/memberlist.php?s=9%2c+9%2c+9
/memberlist.php?s='bad_bad_value
/memberlist.php?s='bad_bad_value
/memberlist.php?s=bad_bad_value'
/memberlist.php?s=bad_bad_value'
/memberlist.php?s='+OR+'
/memberlist.php?s='+OR+'
/memberlist.php?s='WHERE
/memberlist.php?s='WHERE
/memberlist.php?s=%3B
/memberlist.php?s=%3B
/memberlist.php?s='OR
/memberlist.php?s='OR
/memberlist.php?s=' or 1=1--
/memberlist.php?s= or 1=1--
/memberlist.php?s=' or 'a'='a
/memberlist.php?s=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The remote host is running vBulletin, a web based bulletin board system
written in PHP.

The remote version of this software is vulnerable to a cross-site scripting
issue, due to a failure of the application to properly sanitize user-supplied
URI input.

As a result of this vulnerability, it is possible for a remote attacker
to create a malicious link containing script code that will be executed
in the browser of an unsuspecting user when followed.

This may facilitate the theft of cookie-based authentication credentials
as well as other attacks.

Solution : Upgrade to vBulletin 3.0.2 or newer
Risk factor : Medium
CVE : CAN-2004-0620
BID : 10612, 10602
Other references : OSVDB:7256
Nessus ID : 14792
Quote:
Vulnerability www (80/tcp)
The remote host is running vBulletin, a web based bulletin board system
written in PHP.

The remote version of this software is vulnerable to a cross-site scripting
issue, due to a failure of the application to properly sanitize user-supplied
URI input.

As a result of this vulnerability, it is possible for a remote attacker
to create a malicious link containing script code that will be executed
in the browser of an unsuspecting user when followed.

This may facilitate the theft of cookie-based authentication credentials
as well as other attacks.

Solution : Upgrade to vBulletin 3.0.2 or newer
Risk factor : Medium
CVE : CAN-2004-0620
BID : 10612, 10602
Other references : OSVDB:7256
Nessus ID : 14792
Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/login.php?forceredirect='UNION'
/login.php?forceredirect='UNION'
/login.php?forceredirect='
/login.php?forceredirect='
/login.php?forceredirect='%22
/login.php?forceredirect='%22
/login.php?forceredirect=9%2c+9%2c+9
/login.php?forceredirect=9%2c+9%2c+9
/login.php?forceredirect='bad_bad_value
/login.php?forceredirect='bad_bad_value
/login.php?forceredirect=bad_bad_value'
/login.php?forceredirect=bad_bad_value'
/login.php?forceredirect='+OR+'
/login.php?forceredirect='+OR+'
/login.php?forceredirect='WHERE
/login.php?forceredirect='WHERE
/login.php?forceredirect=%3B
/login.php?forceredirect=%3B
/login.php?forceredirect='OR
/login.php?forceredirect='OR
/login.php?forceredirect=' or 1=1--
/login.php?forceredirect= or 1=1--
/login.php?forceredirect=' or 'a'='a
/login.php?forceredirect=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/register.php?do='UNION'
/register.php?do='UNION'
/register.php?do='
/register.php?do='
/register.php?do='%22
/register.php?do='%22
/register.php?do=9%2c+9%2c+9
/register.php?do=9%2c+9%2c+9
/register.php?do='bad_bad_value
/register.php?do='bad_bad_value
/register.php?do=bad_bad_value'
/register.php?do=bad_bad_value'
/register.php?do='+OR+'
/register.php?do='+OR+'
/register.php?do='WHERE
/register.php?do='WHERE
/register.php?do=%3B
/register.php?do=%3B
/register.php?do='OR
/register.php?do='OR
/register.php?do=' or 1=1--
/register.php?do= or 1=1--
/register.php?do=' or 'a'='a
/register.php?do=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/sendmessage.php?s='UNION'
/sendmessage.php?s='UNION'
/sendmessage.php?s='
/sendmessage.php?s='
/sendmessage.php?s='%22
/sendmessage.php?s='%22
/sendmessage.php?s=9%2c+9%2c+9
/sendmessage.php?s=9%2c+9%2c+9
/sendmessage.php?s='bad_bad_value
/sendmessage.php?s='bad_bad_value
/sendmessage.php?s=bad_bad_value'
/sendmessage.php?s=bad_bad_value'
/sendmessage.php?s='+OR+'
/sendmessage.php?s='+OR+'
/sendmessage.php?s='WHERE
/sendmessage.php?s='WHERE
/sendmessage.php?s=%3B
/sendmessage.php?s=%3B
/sendmessage.php?s='OR
/sendmessage.php?s='OR
/sendmessage.php?s=' or 1=1--
/sendmessage.php?s= or 1=1--
/sendmessage.php?s=' or 'a'='a
/sendmessage.php?s=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/faq.php?s='UNION'
/faq.php?s='UNION'
/faq.php?s='
/faq.php?s='
/faq.php?s='%22
/faq.php?s='%22
/faq.php?s=9%2c+9%2c+9
/faq.php?s=9%2c+9%2c+9
/faq.php?s='bad_bad_value
/faq.php?s='bad_bad_value
/faq.php?s=bad_bad_value'
/faq.php?s=bad_bad_value'
/faq.php?s='+OR+'
/faq.php?s='+OR+'
/faq.php?s='WHERE
/faq.php?s='WHERE
/faq.php?s=%3B
/faq.php?s=%3B
/faq.php?s='OR
/faq.php?s='OR
/faq.php?s=' or 1=1--
/faq.php?s= or 1=1--
/faq.php?s=' or 'a'='a
/faq.php?s=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The remote host is running vBulletin, a web based bulletin board system written
in PHP.

The remote version of this software is vulnerable to a SQL injection issue. It is
reported that versions 3.0.0 through to 3.0.3 are prone to this issue. An attacker
may exploit this flaw to gain the control of the remote database.


See also : http://secunia.com/advisories/12531/
Solution : Upgrade to vBulletin 3.0.4 or newer
Risk factor : High
BID : 11193
Nessus ID : 14785
Quote:
Vulnerability www (80/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/index.php?s='UNION'
/index.php?s='UNION'
/index.php?s='
/index.php?s='
/index.php?s='%22
/index.php?s='%22
/index.php?s=9%2c+9%2c+9
/index.php?s=9%2c+9%2c+9
/index.php?s='bad_bad_value
/index.php?s='bad_bad_value
/index.php?s=bad_bad_value'
/index.php?s=bad_bad_value'
/index.php?s='+OR+'
/index.php?s='+OR+'
/index.php?s='WHERE
/index.php?s='WHERE
/index.php?s=%3B
/index.php?s=%3B
/index.php?s='OR
/index.php?s='OR
/index.php?s=' or 1=1--
/index.php?s= or 1=1--
/index.php?s=' or 'a'='a
/index.php?s=') or ('a'='a

An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.

Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
Nessus ID : 11139
Quote:
Vulnerability www (80/tcp)
The remote host is running vBulletin, a web based bulletin board system written
in PHP.

The remote version of this software is vulnerable to a SQL injection issue. It is
reported that versions 3.0.0 through to 3.0.3 are prone to this issue. An attacker
may exploit this flaw to gain the control of the remote database.


See also : http://secunia.com/advisories/12531/
Solution : Upgrade to vBulletin 3.0.4 or newer
Risk factor : High
BID : 11193
Nessus ID : 14785
Reply With Quote
  #2  
Old 11-11-2004, 11:49 AM
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Location: Ontario, Canada
Posts: 11,440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

...

Well this would be the wrong site to report this to, not to mention, I think anything that obivious would have been cought ages ago during beta 3. At this time there are no known security issues with vBulletin 3 if you have proof of one and how to exploit it consistantly please report it to the main website.
Reply With Quote
  #3  
Old 11-11-2004, 09:00 PM
Natch's Avatar
Natch Natch is offline
 
Join Date: Nov 2002
Location: Australia
Posts: 851
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

FYI: the vulnerabilities mentioned on secunia are both the same, and are both referrring to the issue in the authorize.net payment processing.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:18 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06351 seconds
  • Memory Usage 2,207KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (12)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (3)post_thanks_box
  • (3)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (3)post_thanks_postbit_info
  • (3)postbit
  • (3)postbit_onlinestatus
  • (3)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete