Page 312 - بسم الله الرحمن الرحيم

P. 312

;global $templatecache,$DB_site

} (""=![if ($templatecache[$templatename
;[template=$templatecache[$templatename$

} else {
gettemp=$DB_site->query_first("SELECT template FROM template$

;("'".(WHERE title='". addslashes($templatename
;[template=$gettemp[template$

;templatecache[$templatename]=$template$
{

} (if ($escape==1
;(template=str_replace("\"","\\\"",$template$

{
;return $template

{

For effectiveness the function implements a simple cache for template
strings. After fetching them from the database they're stored in the
templatecache[] array. This array is checked for the template before
doing the SQL query. Unfortunately the array is never initialized, so
.a user can pass array contents in the URL, e.g
(for simplicity not %-escaped)

http://www.site.url/index.php?
action=faq&templatecache[faq]=hello+world

With this URL, you won't get the FAQ page, but just a blank page
."with the words "hello world

The eval() call above will execute

;("echo dovars("hello world

As if this wouldn't be bad enough, a remote user may as well pass a
value containing quotation marks and other symbols. Quotation marks

aren't always escaped as seen in the code above, in which case
index.php could end up executing code like

;("echo dovars("hello"world

This would produce a PHP error message due to unbalanced quotes. It
doesn't take a rocket scientist to figure out how a remote user could

execute arbitrary code from here, so further details about exploitation
aren't necessary. If your vBulletin board produces an error message

,with an URL like the one above prefixed with a single quotation mark
.it's definitely vulnerable

312

307 308 309 310 311 312 313 314 315 316 317