Results 1 to 3 of 3
  1. #1
    Join Date
    Mar 2002
    Location
    Canada
    Posts
    142

    * vBulletin XSS Security Bug

    vBulletin XSS Security Bug

    vBulletin is a powerful and widely used bulletin board system, based on
    PHP language and MySQL database. One of its features is the usage of
    templates to modify the boards look. I discovered lately a Cross-Site
    Scripting vulnerability that would attackers to inject maleficent codes
    and execute it on the clients browser.

    + Vulnerable Versions:

    - Jelsoft vBulletin 2.2.8.
    - Jelsoft vBulletin 2.2.7.
    - Jelsoft vBulletin 2.2.6.
    - Jelsoft vBulletin 2.2.5.
    - Jelsoft vBulletin 2.2.4.
    - Jelsoft vBulletin 2.2.3.
    - Jelsoft vBulletin 2.2.2.
    - Jelsoft vBulletin 2.2.1.
    - Jelsoft vBulletin 2.2.0.
    - Jelsoft vBulletin 2.0.2.
    - Jelsoft vBulletin 2.0.1.
    - Jelsoft vBulletin 2.0.0.
    - Jelsoft vBulletin 2.0.0 Candidate 3.
    - Jelsoft vBulletin 2.0.0 Candidate 2.
    - Jelsoft vBulletin 2.0.0 Candidate 1.
    - Jelsoft vBulletin 2.0.0 Beta 5.
    - Jelsoft vBulletin 2.0.0 Beta 4.
    - Jelsoft vBulletin 2.0.0 Beta 4.1.
    - Jelsoft vBulletin 2.0.0 Beta 3.
    - Jelsoft vBulletin 2.0.0 Beta 2.
    - Jelsoft vBulletin 2.0.0 Beta 1.
    - Jelsoft vBulletin 2.0.0 Alpha.

    + Details:

    In global.php there is a variable [$scriptpath], the value of it is the
    referred URL that the client came from. Move on to admin/functions.php,
    in show_nopermission function the $scriptpath is called as a global
    variable. The content of the variable gets printed in the
    error_nopermission_loggedin template without filtering it. So if we pass
    some tags and script codes in the URL and refresh the page it will be
    printed in the no permission template. The same thing with $url variable
    which print its contents in many templates.

    + Exploit:

    Note: Tested on Microsoft Internet Explorer 6.0 and vBulletin.com:

    - Go to usercp.php?s=[Session ID]"><Script>alert
    (document.cookie);</Script> [You can use it wherever
    error_nopermission_loggedin get printed].
    - A pop-up window will appear and you'll receive an error message.
    - Then log in.
    - Go back to the previous pages where you left the login form.
    - Then the pop-up window will appear again containing the User ID and
    Password Hash.

    The same thing with $url templates.

    + Solution:

    - Forum administrator can add some codes that will check the referred
    URL and filter its inputs or upgrade to vBulletin 3.0.
    Log On.
    Hack In.
    Go AnyWhere.
    Steal AnyThing.

  2. #2
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,977
    Old news...

    Look on vBulletin's site, there is a patch for it...

    You'll notice the original person posting this didn't know alot about vB, because it says to upgrade to vB3, which prolly won't be out for another few months

    There will be a 2.2.9 release in the next few days with this fix...

    If you want to see how to patch your forum, so you don't have to do a full upgrade and loose all your hacks, look on vBulletin's forum in the vB2 bugs, there is a thread about this, and I posted the steps to patch...

  3. #3
    Join Date
    Aug 2002
    Location
    Chicago, IL, United States
    Posts
    64
    well, at least he is letting the public know
    Anthony LaMantia
    http://www.bia-security.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •