SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   vBulletin Vendors:   Jelsoft Enterprises
vBulletin Forum Input Validation Bug in 'global.php' Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1005456
SecurityTracker URL:  http://securitytracker.com/id/1005456
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 18 2002
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.2.0 apha - 2.2.8
Description:   An input validation vulnerability was reported in vBulletin. A remote user can conduct cross-site scripting attacks against vBulletin users.

It is reported that the software does not properly filter the variable [$scriptpath] in 'global.php'. In the 'admin/functions.php', the show_nopermission() function calls the $scriptpath variable.

A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the vBulletin and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The same flaw reportedly exists in the $url variable, which is printed in several templates.

A demonstration exploit method is described:

- Go to usercp.php?s=[Session ID]"><Script>alert(document.cookie);</Script> [You can use it wherever error_nopermission_loggedin get printed].
- A pop-up window will appear and you'll receive an error message.
- Then log in.
- Go back to the previous pages where you left the login form.
- Then the pop-up window will appear again containing the User ID and Password Hash.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running vBulletin, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has released a fixed version (3.0), available at:

http://www.vbulletin.com/

Vendor URL:  www.vbulletin.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  vBulletin XSS Security Bug




.:: vBulletin XSS Security Bug

vBulletin is a powerful and widely used bulletin board system, based on 
PHP language and MySQL database. One of its features is the usage of 
templates to modify the boards look. I discovered lately a Cross-Site 
Scripting vulnerability that would attackers to inject maleficent codes 
and execute it on the clients browser.

+ Vulnerable Versions:

    - Jelsoft vBulletin 2.2.8.
    - Jelsoft vBulletin 2.2.7.
    - Jelsoft vBulletin 2.2.6.
    - Jelsoft vBulletin 2.2.5.
    - Jelsoft vBulletin 2.2.4.
    - Jelsoft vBulletin 2.2.3.
    - Jelsoft vBulletin 2.2.2.
    - Jelsoft vBulletin 2.2.1.
    - Jelsoft vBulletin 2.2.0.
    - Jelsoft vBulletin 2.0.2.
    - Jelsoft vBulletin 2.0.1.
    - Jelsoft vBulletin 2.0.0.
    - Jelsoft vBulletin 2.0.0 Candidate 3.
    - Jelsoft vBulletin 2.0.0 Candidate 2.
    - Jelsoft vBulletin 2.0.0 Candidate 1.
    - Jelsoft vBulletin 2.0.0 Beta 5.
    - Jelsoft vBulletin 2.0.0 Beta 4.
    - Jelsoft vBulletin 2.0.0 Beta 4.1.
    - Jelsoft vBulletin 2.0.0 Beta 3.
    - Jelsoft vBulletin 2.0.0 Beta 2.
    - Jelsoft vBulletin 2.0.0 Beta 1.
    - Jelsoft vBulletin 2.0.0 Alpha.

+ Details:

In global.php there is a variable [$scriptpath], the value of it is the 
referred URL that the client came from. Move on to admin/functions.php, 
in show_nopermission function the $scriptpath is called as a global 
variable. The content of the variable gets printed in the 
error_nopermission_loggedin template without filtering it. So if we pass 
some tags and script codes in the URL and refresh the page it will be 
printed in the no permission template. The same thing with $url variable 
which print its contents in many templates.

+ Exploit:

Note: Tested on Microsoft Internet Explorer 6.0 and vBulletin.com:

    - Go to usercp.php?s=[Session ID]"><Script>alert
(document.cookie);</Script> [You can use it wherever 
error_nopermission_loggedin get printed].
    - A pop-up window will appear and you'll receive an error message.
    - Then log in.
    - Go back to the previous pages where you left the login form.
    - Then the pop-up window will appear again containing the User ID and 
Password Hash.

The same thing with $url templates.

+ Solution:

    - Forum administrator can add some codes that will check the referred 
URL and filter its inputs or upgrade to vBulletin 3.0.

+ Links:

    - Http://www.vBulletin.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC