Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: va1031.htm

vBulletin Cross Site Scripting Vulnerability



CORE-2008-0813 - vBulletin Cross Site Scripting Vulnerability
CORE-2008-0813 - vBulletin Cross Site Scripting Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/ 

       vBulletin Cross Site Scripting Vulnerability


*Advisory Information*

Title: vBulletin Cross Site Scripting Vulnerability
Advisory ID: CORE-2008-0813
Advisory URL: http://www.coresecurity.com/my-advisory 
Date published: 2008-08-20
Date of last update: 2008-08-19
Vendors contacted: vBulletin team
Release mode: Coordinated release


*Vulnerability Information*

Class: XSS flaw
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: N/A	
CVE Name: N/A	


*Vulnerability Description*

vBulletin [1] is a community forum solution for a wide range of users,
including industry leading companies. A XSS vulnerability has been
discovered that could allow an attacker to carry out an action
impersonating a legal user, or to obtain access to a user's account.
This flaw allows unauthorized disclosure and modification of
information, and it allows disruption of service.


*Vulnerable Packages*

. vBulletin 3.7.2 Patch Level 1.
. vBulletin 3.6.10 Patch Level 3.
. Older versions are probably affected too, but they were not checked.


*Non-vulnerable Packages*

. vBulletin 3.7.2 Patch Level 2.
. vBulletin 3.6.10 Patch Level 4.


*Vendor Information, Solutions and Workarounds*

vBulletin team has released patches for this flaw (see [2]), and new
fixed versions of vBulletin (3.6.11 and 3.7.3) will be available on
Tuesday, August 26th. Refer to [3] for more details.


*Credits*

This vulnerability was discovered and researched by Federico Muttis from
Core Security Technologies.


*Technical Description / Proof of Concept Code*

This is a Cross Site Scripting (XSS) vulnerability within vBulletin
community forum solution. In order to exploit this flaw the following
option needs to be activated:
'http://victim/vBulletin/profile.php?do=editoptions' (Show New Private 
Message Notification Pop-Up enabled). There are many forums with this
option enabled by default for all new users.

The title is not being encoded in the following rendered HTML code:

/-----------



- -----------/

The variable '$newpm[title]' in 'install/vbulletin-style.xml' was
previously de-sanitized in 'global.php' and only slash-escaping survives:

/-----------

//
#############################################################################
// get new private message popup
$shownewpm = false;
if ($vbulletin->userinfo['pmpopup'] == 2 AND
$vbulletin->options['checknewpm'] AND $vbulletin->userinfo['userid'] AND
!defined('NOPMPOPUP'))
{
	$userdm =& datamanager_init('User', $vbulletin, ERRTYPE_SILENT);
	$userdm->set_existing($vbulletin->userinfo);
	$userdm->set('pmpopup', 1);
	$userdm->save(true, 'pmpopup');	// 'pmpopup' tells db_update to issue a
shutdownquery of the same name
	unset($userdm);

	if (THIS_SCRIPT != 'private' AND THIS_SCRIPT != 'login')
	{
		$newpm = $db->query_first("
		SELECT pm.pmid, title, fromusername
		FROM " . TABLE_PREFIX . "pmtext AS pmtext
		LEFT JOIN " . TABLE_PREFIX . "pm AS pm USING(pmtextid)
		WHERE pm.userid = " . $vbulletin->userinfo['userid'] . "
		AND pm.folderid = 0
		ORDER BY dateline DESC
		LIMIT 1");
	
		$newpm['username'] addslashes_js(unhtmlspecialchars($newpm['fromusername'], true), '"');
		$newpm['title'] = addslashes_js(unhtmlspecialchars($newpm['title'],
true), '"');
		$shownewpm = true;
	}
}

- -----------/

Which of course allows XSS attacks.

The 'alert' Proof of Concept (PoC) exploit would be to write a PM to the
user you want to attack with this subject:

/-----------

- -->


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH