Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: bt-30062.htm

vBulletin - Insecure Custom BBCode Tags



vBulletin - Insecure Custom BBCode Tags
vBulletin - Insecure Custom BBCode Tags



vBulletin - Insecure Custom BBCode Tags=0D
=0D
=0D
Versions Affected: 3.8.4 PL2 (Most likely all versions)=0D
=0D
Info:=0D
Content publishing, search, security, and more=97vBulletin has it all. Whether=0D
it=92s available features, support, or ease-of-use, vBulletin offers the most for=0D
your money. Learn more about what makes vBulletin the choice for people=0D
who are serious about creating thriving online communities.=0D
=0D
External Links:=0D
http://www.vbulletin.com/=0D 
=0D
=0D
=0D
-:: The Advisory ::-=0D
=0D
A vulnerability exists within vBulletin which makes an attacker able to inject=0D
code such as HTML or Javascript via custom BBCode Tags IF they follow certain=0D
conditions which are described below.=0D
=0D
Requirements:=0D
- User-input must be located inside a variable in a HTML-tag.=0D
- Apostrophes or nothing must be used for encapsulation.=0D
=0D
=0D
Insecure Implementations:=0D
=0D
- Example 1 (src is insecure)=0D
=0D
=0D
- Example 2 (href is insecure)=0D
{param}=0D
=0D
=0D
Exploitation of Above Implementations:=0D
=0D
- Example 1 (PoC)=0D
[BadTag]x:x' onerror=alert(0) foo='[/BadTag]=0D
=0D
- Example 2 (PoC)=0D
[BadTag2=fail onmouseover=alert(0)]Link[/BadTag2]=0D
=0D
=0D
=0D
-:: Solution ::-=0D
=0D
Sanitize BBCode with htmlentities($var, ENT_QUOTES); or htmlspecialchars($var); in the PHP files.=0D
(Jelsoft should fix this, however I may provide a patch if they don't.)=0D
=0D
Alternatively don't use BBCode with apostrophes where user-input is inside a variable.=0D
=0D
Examples of "Secure Implementation":=0D
=0D
[ + ] Note that src's value is encapsulated with quotes.=0D
=0D
{param}=0D
[ + ] Note that href's value is encapsulated with quotes.=0D
=0D
=0D
Disclosure Information:=0D
- Vulnerability found the 29th April 2010=0D
- Vendor and Buqtraq (SecurityFocus) was contacted the 29th April=0D
- Disclosed on InterN0T the 29th April=0D
=0D
Reference:=0D
http://forum.intern0t.net/intern0t-advisories/2528-vbulletin-3-8-4-pl2-insecure-custom-bbcode.html=0D 
=0D
=0D
All of the best,=0D
MaXe 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH