SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   vBulletin Vendors:   Jelsoft Enterprises
vBulletin Input Validation Flaw in XMLRPC API Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1031000
SecurityTracker URL:  http://securitytracker.com/id/1031000
CVE Reference:   CVE-2014-2021   (Links to External Site)
Date:  Oct 14 2014
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 4.x, 5.x; Tested on 4.2.0 PL2, 4.2.1, 4.2.2, 5.0.5
Description:   A vulnerability was reported in vBulletin. A remote user can conduct cross-site scripting attacks.

The system does not properly filter HTML code from user-supplied input in the XMLRPC API before displaying the input. A remote user with knowledge of the API key can submit specially crafted data that, when viewed by a target authenticated administrative user via the XMLRPC API logging page, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the vBulletin software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Systems with the API interface and API-Logging features enabled are affected.

The vendor was notified on January 14, 2014, without response.

oststrom reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the vBulletin software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.vbulletin.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [FD] CVE-2013-2021 - vBulletin 5.x/4.x - persistent XSS in AdminCP/ApiLog via xmlrpc API (post-auth)

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

CVE-2013-2021 - vBulletin 5.x/4.x - persistent XSS in AdminCP/ApiLog via
xmlrpc API (post-auth)

============================================================================
====================

 

Overview

- --------

 

    date    :  10/12/2014  

    cvss    :  4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) base

    cwe     :  79 

    

    vendor  : vBulletin Solutions

    product : vBulletin 4

    versions affected :  latest 4.x and 5.x (to date); verified <= 4.2.2  ;
<= 5.0.x

            * vBulletin 5.0.5      (verified)

           * vBulletin 4.2.2     (verified)  

            * vBulletin 4.2.1     (verified)  

            * vBulletin 4.2.0 PL2 (verified)  

                

    exploitability :

            * remotely exploitable

            * requires authentication (apikey)

            * requires non-default features to be enabled (API interface,
API-Logging)

            * requires user interaction to trigger exploit (admincp - admin
views logs)

                

    patch availability (to date) :  None

 

 

Abstract

- ---------

    vBulletin 4/5 does not properly sanitize client provided xmlrpc
attributes (e.g. client name)

    allowing the remote xmlrpc client to inject code into the xmlrpc API
logging page. 

    Code is executed once an admin visits the API log page and clicks on the
API clients name.

    

    risk:  rather low - due to the fact that you the api key is required

           you can probably use CVE-2014-2023 to obtain the api key

 

 

Details

- --------

    

    vulnerable component: 

        ./admincp/apilog.php?do=viewclient

    apilog.php does not sanitize xmlrpc client provided data before passing
it to

    print_label_row to generate the output page.

 

 

Proof of Concept (PoC)

- ----------------------

 

    see https://github.com/tintinweb/pub/cve-2013-2021

    

    

    1) prerequesites

    1.1) enable API, generate API-key

         logon to AdminCP

         goto "vBulletin API"->"API-Key" and enable the API interface,
generate key

         goto "vBulletin API"->"API-Log" and enable all API logging

    2) run PoC

         edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)

         run PoC, wait for SUCCESS! message

    3) trigger exploit

        logon to AdminCP

         goto "vBulletin API"->"API-Log" and hit "view"

         in search results click on "client name"

         the injected msgbox pops up

         

 

Timeline

- --------

 

    2014-01-14: initial vendor contact - no reply

    2014-01-24: vendor contact - no reply

    2014-10-13: public disclosure

    

Contact

- --------

 

    tintinweb - https://github.com/tintinweb/pub/cve-2013-2021

    

    

(0x721427D8)

-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJUPDfoAAoJEBgB43t1YjbLsu8P/1m8lGQGk8MwjsbpcHsEkfdD

CPEivvYOUfQXQPas5iqTLmWGqJWFvpKm9pHX4+Iygq3ogeAO7cmefSEvltX55uuF

6LaikmhjYfJW1SutTKE375HGuBxRA2m1kuvBN2z2bY+yqDZXpKeO9Ho1YEYQJ79N

Q6Urz8WWO41tUhEJ2APdB6BhXIulEBM7Xogy2qlFoKD4Z7vNCt7olNTpe7+gzJe2

cZTiLMLMxndgkfb2evORcX/a9EdAeDPYvgQrmzmeUllZ24CK4C+JM2iOsRLSaIqf

uvbwv4ZKvtlX0LuAYTEk9N1gvDYnxEwHiv7+hsVYpSxHSLS+Nk77mir/LnZxsW9A

pz36AmavGekvi1hr7QYMLB/b4+TREeKKjA0XAf6eZbwDeNgSXLY2ptvY8Li+oRHL

qYPkwrDHm57FjG4LRgsYGBdzi7ALW1nRfBuh1KAbklavXSHitVsBJhREX/YsJ12g

ycbGqxkP4keSTqb61EHtW8hU41riPT5+XxhWgQRVVJvc3t5rp8ztzzTrbhsyz7PW

CQ5bTSR1rks0MRHaoEm9SrVvITIBrhGHpCplqWOKiEcSSHr0Q4RBxB8jr3n1eR1R

Nzzpp//PUBQazScCa3zJOrCrfOCJjmKPUZwqRRyook1hJRWj0IzVLVqUEUCuHCj9

skeeueYa1iweiHwNgZdn

=BO28

-----END PGP SIGNATURE-----


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC