vBulletin - Insecure Custom BBCode Tags Apr 29 2010 03:20PM
advisories intern0t net
vBulletin - Insecure Custom BBCode Tags

Versions Affected: 3.8.4 PL2 (Most likely all versions)


Content publishing, search, security, and more?vBulletin has it all. Whether

it?s available features, support, or ease-of-use, vBulletin offers the most for

your money. Learn more about what makes vBulletin the choice for people

who are serious about creating thriving online communities.

External Links:


-:: The Advisory ::-

A vulnerability exists within vBulletin which makes an attacker able to inject

code such as HTML or Javascript via custom BBCode Tags IF they follow certain

conditions which are described below.


- User-input must be located inside a variable in a HTML-tag.

- Apostrophes or nothing must be used for encapsulation.

Insecure Implementations:

- Example 1 (src is insecure)

<img src='{param}' style='border-width:5px;border-color:red;border-style:outset;' />

- Example 2 (href is insecure)

<a href={option} style=border-width:5px;border-color:red;border-style:outset;>{param}</a>

Exploitation of Above Implementations:

- Example 1 (PoC)

[BadTag]x:x' onerror=alert(0) foo='[/BadTag]

- Example 2 (PoC)

[BadTag2=fail onmouseover=alert(0)]Link[/BadTag2]

-:: Solution ::-

Sanitize BBCode with htmlentities($var, ENT_QUOTES); or htmlspecialchars($var); in the PHP files.

(Jelsoft should fix this, however I may provide a patch if they don't.)

Alternatively don't use BBCode with apostrophes where user-input is inside a variable.

Examples of "Secure Implementation":

<img src="{param}" style='border-width:5px;border-color:red;border-style:outset;' />

[ + ] Note that src's value is encapsulated with quotes.

<a href="{option}" style=border-width:5px;border-color:red;border-style:outset; />{param}</a>

[ + ] Note that href's value is encapsulated with quotes.

Disclosure Information:

- Vulnerability found the 29th April 2010

- Vendor and Buqtraq (SecurityFocus) was contacted the 29th April

- Disclosed on InterN0T the 29th April



All of the best,


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus