vBulletin XSS Security Bug

From: Sp.IC (SpeedICNetat_private)
Date: Fri Oct 18 2002 - 05:08:55 PDT

Next message: Jonathan A. Zdziarski: "Chrooting Daemons and System Processes HOWTO"

Previous message: Dave Aitel: "[Full-Disclosure] [Immunity, Inc.]Vulnerability: RPC Service DoS (port 135/tcp) on Windows 2000 SP3"
Next in thread: Alex Yu: "RE: vBulletin XSS Security Bug"
Reply: Alex Yu: "RE: vBulletin XSS Security Bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) .:: vBulletin XSS Security Bug vBulletin is a powerful and widely used bulletin board system, based on PHP language and MySQL database. One of its features is the usage of templates to modify the boards look. I discovered lately a Cross-Site Scripting vulnerability that would attackers to inject maleficent codes and execute it on the clients browser. + Vulnerable Versions: - Jelsoft vBulletin 2.2.8. - Jelsoft vBulletin 2.2.7. - Jelsoft vBulletin 2.2.6. - Jelsoft vBulletin 2.2.5. - Jelsoft vBulletin 2.2.4. - Jelsoft vBulletin 2.2.3. - Jelsoft vBulletin 2.2.2. - Jelsoft vBulletin 2.2.1. - Jelsoft vBulletin 2.2.0. - Jelsoft vBulletin 2.0.2. - Jelsoft vBulletin 2.0.1. - Jelsoft vBulletin 2.0.0. - Jelsoft vBulletin 2.0.0 Candidate 3. - Jelsoft vBulletin 2.0.0 Candidate 2. - Jelsoft vBulletin 2.0.0 Candidate 1. - Jelsoft vBulletin 2.0.0 Beta 5. - Jelsoft vBulletin 2.0.0 Beta 4. - Jelsoft vBulletin 2.0.0 Beta 4.1. - Jelsoft vBulletin 2.0.0 Beta 3. - Jelsoft vBulletin 2.0.0 Beta 2. - Jelsoft vBulletin 2.0.0 Beta 1. - Jelsoft vBulletin 2.0.0 Alpha. + Details: In global.php there is a variable [$scriptpath], the value of it is the referred URL that the client came from. Move on to admin/functions.php, in show_nopermission function the $scriptpath is called as a global variable. The content of the variable gets printed in the error_nopermission_loggedin template without filtering it. So if we pass some tags and script codes in the URL and refresh the page it will be printed in the no permission template. The same thing with $url variable which print its contents in many templates. + Exploit: Note: Tested on Microsoft Internet Explorer 6.0 and vBulletin.com: - Go to usercp.php?s=[Session ID]"><Script>alert (document.cookie);</Script> [You can use it wherever error_nopermission_loggedin get printed]. - A pop-up window will appear and you'll receive an error message. - Then log in. - Go back to the previous pages where you left the login form. - Then the pop-up window will appear again containing the User ID and Password Hash. The same thing with $url templates. + Solution: - Forum administrator can add some codes that will check the referred URL and filter its inputs or upgrade to vBulletin 3.0. + Links: - http://www.vBulletin.com

Next message: Jonathan A. Zdziarski: "Chrooting Daemons and System Processes HOWTO"
Previous message: Dave Aitel: "[Full-Disclosure] [Immunity, Inc.]Vulnerability: RPC Service DoS (port 135/tcp) on Windows 2000 SP3"
Next in thread: Alex Yu: "RE: vBulletin XSS Security Bug"
Reply: Alex Yu: "RE: vBulletin XSS Security Bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 15:43:37 PDT