Results 1 to 3 of 3
  1. #1
    Join Date
    Mar 2002

    * vBulletin XSS Security Bug

    vBulletin XSS Security Bug

    vBulletin is a powerful and widely used bulletin board system, based on
    PHP language and MySQL database. One of its features is the usage of
    templates to modify the boards look. I discovered lately a Cross-Site
    Scripting vulnerability that would attackers to inject maleficent codes
    and execute it on the clients browser.

    + Vulnerable Versions:

    - Jelsoft vBulletin 2.2.8.
    - Jelsoft vBulletin 2.2.7.
    - Jelsoft vBulletin 2.2.6.
    - Jelsoft vBulletin 2.2.5.
    - Jelsoft vBulletin 2.2.4.
    - Jelsoft vBulletin 2.2.3.
    - Jelsoft vBulletin 2.2.2.
    - Jelsoft vBulletin 2.2.1.
    - Jelsoft vBulletin 2.2.0.
    - Jelsoft vBulletin 2.0.2.
    - Jelsoft vBulletin 2.0.1.
    - Jelsoft vBulletin 2.0.0.
    - Jelsoft vBulletin 2.0.0 Candidate 3.
    - Jelsoft vBulletin 2.0.0 Candidate 2.
    - Jelsoft vBulletin 2.0.0 Candidate 1.
    - Jelsoft vBulletin 2.0.0 Beta 5.
    - Jelsoft vBulletin 2.0.0 Beta 4.
    - Jelsoft vBulletin 2.0.0 Beta 4.1.
    - Jelsoft vBulletin 2.0.0 Beta 3.
    - Jelsoft vBulletin 2.0.0 Beta 2.
    - Jelsoft vBulletin 2.0.0 Beta 1.
    - Jelsoft vBulletin 2.0.0 Alpha.

    + Details:

    In global.php there is a variable [$scriptpath], the value of it is the
    referred URL that the client came from. Move on to admin/functions.php,
    in show_nopermission function the $scriptpath is called as a global
    variable. The content of the variable gets printed in the
    error_nopermission_loggedin template without filtering it. So if we pass
    some tags and script codes in the URL and refresh the page it will be
    printed in the no permission template. The same thing with $url variable
    which print its contents in many templates.

    + Exploit:

    Note: Tested on Microsoft Internet Explorer 6.0 and

    - Go to usercp.php?s=[Session ID]"><Script>alert
    (document.cookie);</Script> [You can use it wherever
    error_nopermission_loggedin get printed].
    - A pop-up window will appear and you'll receive an error message.
    - Then log in.
    - Go back to the previous pages where you left the login form.
    - Then the pop-up window will appear again containing the User ID and
    Password Hash.

    The same thing with $url templates.

    + Solution:

    - Forum administrator can add some codes that will check the referred
    URL and filter its inputs or upgrade to vBulletin 3.0.
    Log On.
    Hack In.
    Go AnyWhere.
    Steal AnyThing.

  2. #2
    Join Date
    May 2001
    Dayton, Ohio
    Old news...

    Look on vBulletin's site, there is a patch for it...

    You'll notice the original person posting this didn't know alot about vB, because it says to upgrade to vB3, which prolly won't be out for another few months

    There will be a 2.2.9 release in the next few days with this fix...

    If you want to see how to patch your forum, so you don't have to do a full upgrade and loose all your hacks, look on vBulletin's forum in the vB2 bugs, there is a thread about this, and I posted the steps to patch...
    -Mat Sumpter
    Director, Product Engagement
    Penton Media

  3. #3
    Join Date
    Aug 2002
    Chicago, IL, United States
    well, at least he is letting the public know
    Anthony LaMantia

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts