By exploitdb papers bot•February 14, 2005•
papers
vBulletin 3.0.4 'forumdisplay.php' Code Execution Explained
vBulletin 3.0.4 'forumdisplay.php' Code Execution Explained
What this paper is
This paper describes a vulnerability in vBulletin version 3.0.4 that allows an unauthenticated attacker to execute arbitrary commands on the web server. The exploit leverages how PHP handles global variables and a specific configuration setting within vBulletin to achieve remote code execution.
Simple technical breakdown
The core of the vulnerability lies in how PHP processes the GLOBALS superglobal array when it's passed in a URL. If a parameter like GLOBALS[]=1 is present in the URL, PHP will create or modify an entry in the GLOBALS array. The exploit then crafts a URL that injects a command into a variable that vBulletin uses to display forum information. Because a specific configuration option (showforumusers) is enabled, vBulletin attempts to execute this injected command when rendering the forumdisplay.php page.
Complete code and payload walkthrough
The provided exploit is a URL string, not traditional code with functions or shellcode in the sense of a compiled binary. The "code" here is the crafted HTTP GET request.
Exploit URL:http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma=".system('id')."
Let's break down the components of this URL:
http://site/forumdisplay.php: This is the target script within the vBulletin application.GLOBALS[]=1: This is the crucial part for bypassing security. In PHP, ifregister_globalsis enabled (which was common at the time, though deprecated), or if theGLOBALSarray is manipulated directly, this syntax can inject values into theGLOBALSarray. The[]=1syntax attempts to add an element to theGLOBALSarray. The paper explicitly mentions this is to bypassunset($GLOBALS["$_arrykey"])ininit.php, suggesting that a direct manipulation ofGLOBALSis needed to circumvent a sanitization step.f=2: This parameter likely specifies the forum ID to display. It's a legitimate parameter forforumdisplay.php.comma=".system('id').": This is the command injection payload.comma=: This is a parameter name. The value assigned to it is what gets injected.".system('id').": This is the injected string..: In PHP, the dot (.) is the string concatenation operator.system('id'): This is a PHP function call.system()executes a command and outputs the result.'id'is the command being executed, which typically displays the user ID and group information of the process running the web server.- The surrounding double quotes (
") and dots (.) are part of the string construction. The exploit likely relies on the fact that thecommaparameter is used in a context where it's concatenated into a larger string that is then evaluated or displayed in a way that allows PHP code execution. The paper implies that thecommaparameter is used in a string that is then passed tosystem()or a similar function by the vBulletin application logic.
Mapping:
http://site/forumdisplay.php: Target script.GLOBALS[]=1: Bypass mechanism forinit.phpsanitization.f=2: Legitimate parameter, likely for context.comma=".system('id').": Command injection payload.system('id'): The actual command to be executed on the server.
Payload Stages:
There are no distinct shellcode stages in the traditional sense. The "payload" is the crafted URL that triggers the vulnerability. The execution flow is:
- HTTP Request: The attacker sends the crafted URL to the vBulletin server.
- PHP Processing: The vBulletin application's
forumdisplay.phpscript starts executing. - Global Variable Manipulation: PHP processes the
GLOBALS[]=1parameter, potentially affecting howinit.php's sanitization is bypassed. - Parameter Parsing: The
commaparameter is parsed. - Vulnerability Trigger: The vBulletin application logic, under specific conditions (detailed below), uses the value of the
commaparameter in a way that leads tosystem('id')being executed. The paper suggests that thecommaparameter is directly concatenated into a string that is then passed tosystem().
Practical details for offensive operations teams
- Required Access Level: Unauthenticated (guest/visitor).
- Lab Preconditions:
- A vBulletin 3.0.4 installation.
- The
showforumusersoption must be enabled in vBulletin's administrative settings. - The target vBulletin installation must have at least one user currently viewing a forum to satisfy the
$DB_site->fetch_array($forumusers) == Truecondition. This means the forum shouldn't be completely empty of active viewers. magic_quotes_gpcmust be disabled in the server's PHP configuration. This is a critical prerequisite.- The
init.phpfile must contain theunset($GLOBALS["$_arrykey"])code that theGLOBALS[]=1bypass targets.
- Tooling Assumptions:
- A web browser or a tool like
curlto send HTTP requests. - Knowledge of the target vBulletin version and its configuration.
- A web browser or a tool like
- Execution Pitfalls:
magic_quotes_gpcenabled: This will automatically escape single quotes, null bytes, and backslashes, potentially breaking the command injection.showforumusersdisabled: The vulnerability relies on this option being on.- No active users viewing forums: The
$DB_site->fetch_array($forumusers) == Truecondition will not be met. - Incorrect vBulletin version: The exploit is specific to 3.0.4.
- Bypass failure: If the
init.phpsanitization is different or if theGLOBALS[]=1bypass doesn't work as expected, the injection might fail. - Command not found: The
idcommand might not be in the server's PATH for the web server user. A more common command likelsorpwdmight be a better initial test.
- Tradecraft Considerations:
- Reconnaissance: Confirming the vBulletin version and checking for the
showforumuserssetting is crucial. - Payload Variation: While
idis shown, operators would test other commands (whoami,pwd,ls,uname -a) to confirm execution and gather information. - Stealth: Exploiting via GET parameters can be logged. Using POST requests if the vulnerability allowed, or obfuscating parameters, might be considered for more advanced operations, though this specific exploit is a GET request.
- Post-Exploitation: If successful, the immediate goal is to establish a more persistent channel or pivot, depending on the engagement objectives.
- Reconnaissance: Confirming the vBulletin version and checking for the
Where this was used and when
- Approximate Year: 2005. This exploit was published on milw0rm.com in February 2005.
- Context: This vulnerability would have been exploited against websites running vBulletin 3.0.4. At the time, vBulletin was a very popular forum software, so the attack surface was significant. It's likely that this exploit was used in opportunistic attacks by various threat actors, including script kiddies and potentially more organized groups looking to compromise web servers for various malicious purposes (e.g., defacement, hosting malware, spamming).
Defensive lessons for modern teams
- Keep Software Updated: This is the most fundamental lesson. Running outdated software with known vulnerabilities is a primary entry vector. vBulletin 3.0.4 is ancient; any modern system would have patched this long ago.
- Secure PHP Configuration:
- Disable
register_globals: This directive was a major source of vulnerabilities and has been deprecated and removed in modern PHP versions. - Enable
magic_quotes_gpc(historically): While deprecated and removed, historically, this setting provided some protection against certain types of injection by automatically escaping special characters. However, it's not a robust solution and can break legitimate application functionality. Modern applications rely on parameterized queries and proper input validation.
- Disable
- Input Validation and Sanitization: Applications must rigorously validate and sanitize all user-supplied input. Never trust data coming from the client. This includes checking parameter types, lengths, and allowed characters, and properly escaping or encoding output when it's displayed or used in sensitive contexts.
- Principle of Least Privilege: The web server process should run with the minimum necessary privileges. This limits the impact of a successful compromise.
- Web Application Firewalls (WAFs): WAFs can detect and block common attack patterns like those seen in this exploit, though they are not a substitute for secure coding practices.
- Configuration Management: Regularly audit application and server configurations to ensure security settings are correctly applied and that unnecessary features or options (like
showforumusersif not strictly needed for functionality) are disabled.
ASCII visual (if applicable)
This exploit is a direct HTTP request to a vulnerable script. An ASCII visual might be overly simplistic, but it can illustrate the flow of the request and the injection point.
+-----------------+ +-----------------+ +-----------------+
| Attacker's | ---> | Web Server | ---> | vBulletin |
| Machine | | (HTTP Request) | | Application |
+-----------------+ +-----------------+ +-----------------+
^ |
| |
| v
| +-----------------+
| | forumdisplay.php|
| | (Vulnerable) |
| +-----------------+
| |
| v
| +-----------------+
| | system('id') |
| | (Command Exec.) |
| +-----------------+
| |
+--------------------------------------------------+
(Command Output)Source references
- PAPER ID: 818
- PAPER TITLE: vBulletin 3.0.4 - 'forumdisplay.php' Code Execution (1)
- AUTHOR: AL3NDALEEB
- PUBLISHED: 2005-02-14
- KEYWORDS: PHP,webapps
- PAPER URL: https://www.exploit-db.com/papers/818
- RAW URL: https://www.exploit-db.com/raw/818
Original Exploit-DB Content (Verbatim)
Exploit:
----------------
http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma=".system('id')."
Conditions:
----------------
1st condition : $vboptions['showforumusers'] == True , the admin must set
showforumusers ON in vbulletin options.
2nd condition : $bbuserinfo['userid'] == 0 , you must be an visitor/guest.
3rd condition : $DB_site->fetch_array($forumusers) == True , when you
visit the forums, it must has at least one user show the forum.
4th condition : magic_quotes_gpc must be OFF
SPECIAL condition : you must bypass unset($GLOBALS["$_arrykey"]) code in
init.php by secret array GLOBALS[]=1 ;)))
# milw0rm.com [2005-02-14]