cbcvebase.
CVE-2005-0511
published 2005-02-21

CVE-2005-0511: misc.php for vBulletin 3.0.6 and earlier, when "Add Template Name in HTML Comments" is enabled, allows remote attackers to execute arbitrary PHP code via…

PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
35.82%
98.3th percentile
misc.php for vBulletin 3.0.6 and earlier, when "Add Template Name in HTML Comments" is enabled, allows remote attackers to execute arbitrary PHP code via nested variables in the template parameter.

Affected

29 ranges· showing 25
VendorProductVersion rangeFixed in
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin
jelsoftvbulletin

Detection & IOCsextracted from sources · hover to see the quote

path/forum/misc.php
urlhttp://site.com/misc.php?do=page&template={${phpinfo()}}
urlhttp://www.xxx.net/misc.php?do=page&template={${system(id)}}
commandtemplate={${passthru(chr(...).chr(...))}}
  • Detect GET requests to misc.php where the 'template' parameter contains nested variable/function injection patterns such as {${...}}
  • Look for the query string pattern do=page&template= with PHP function calls (passthru, system, phpinfo) encoded or plaintext inside double-brace variable syntax
  • The exploit encodes the command as a chain of chr() calls joined by dots to bypass filters; detect passthru() calls with chr()-encoded arguments in the template parameter
  • The vulnerability is only triggerable when 'Add Template Name in HTML Comments' is enabled in vBulletin configuration; audit this setting as a risk indicator
  • The Metasploit check method sends 'echo ownable' via the payload; presence of the string 'ownable' in the HTTP response body indicates successful code execution
  • ·The vulnerability is only exploitable when the 'Add Template Name in HTML Comments' vBulletin option is enabled; disabling this setting mitigates the attack surface
  • ·The Metasploit module explicitly disables HTTP::junk_slashes as it interferes with reliable exploitation
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.