How to make secure vBulletin 4 queries

Something I see a lot is that many vulnerable vBulletin plugins do not sanitize/check variables the right way.
The right way to use user input data in queries is like this:

$vbulletin->input->clean_array_gpc('p', array(
	'username' => TYPE_NOHTML,
	'some_field' => TYPE_INT
));

$db->query->write("
	UPDATE " . TABLE_PREFIX . "table SET
		username = '" . $db->escape_string($vbulletin->GPC['username']) . "'
	WHERE some_Field = '" . $vbulletin->GPC['some_field'] . "'
")

The first argument defined the type of request. p is a POST request in this case.
The second argument is an array with field values and the type of the variable.

Whenever you use a string and it should not contain any HTML, ALWAYS use TYPE_NOHTML. If you use TYPE_STR, it might open up a cross site scripting vulnerability as well as SQL injection.

In case you use a variable which is not an integer, always wrap it around the $db->escape_string function.

Here a small part of the code which is used by the clean_array_gpc function:

			case TYPE_INT:    $data = intval($data);                                   break;
			case TYPE_UINT:   $data = ($data = intval($data)) < 0 ? 0 : $data;         break;
			case TYPE_NUM:    $data = strval($data) + 0;                               break;
			case TYPE_UNUM:   $data = strval($data) + 0;
							  $data = ($data < 0) ? 0 : $data;                         break;
			case TYPE_BINARY: $data = strval($data);                                   break;
			case TYPE_STR:    $data = trim(strval($data));                             break;
			case TYPE_NOTRIM: $data = strval($data);                                   break;
			case TYPE_NOHTML: $data = htmlspecialchars_uni(trim(strval($data)));       break;
			case TYPE_BOOL:   $data = in_array(strtolower($data), $booltypes) ? 1 : 0; break;

As you can see, variables which should be integers get wrapped around the intval function.
NOHTML variables will be wrapped around the htmlspecialchars function, which converts special characters to HTML entities

Never think that the clean_array_gpc or clean_gpc functions actually clean strings of bad stuff, they do not!

Leave a Reply

Your email address will not be published / Required fields are marked *