-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
vBulletin Cross Site Scripting Vulnerability
*Advisory Information*
Title: vBulletin Cross Site Scripting Vulnerability
Advisory ID: CORE-2008-0813
Advisory URL: http://www.coresecurity.com/my-advisory
Date published: 2008-08-20
Date of last update: 2008-08-19
Vendors contacted: vBulletin team
Release mode: Coordinated release
*Vulnerability Information*
Class: XSS flaw
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: N/A
*Vulnerability Description*
vBulletin [1] is a community forum solution for a wide range of users,
including industry leading companies. A XSS vulnerability has been
discovered that could allow an attacker to carry out an action
impersonating a legal user, or to obtain access to a user's account.
This flaw allows unauthorized disclosure and modification of
information, and it allows disruption of service.
*Vulnerable Packages*
. vBulletin 3.7.2 Patch Level 1.
. vBulletin 3.6.10 Patch Level 3.
. Older versions are probably affected too, but they were not checked.
*Non-vulnerable Packages*
. vBulletin 3.7.2 Patch Level 2.
. vBulletin 3.6.10 Patch Level 4.
*Vendor Information, Solutions and Workarounds*
vBulletin team has released patches for this flaw (see [2]), and new
fixed versions of vBulletin (3.6.11 and 3.7.3) will be available on
Tuesday, August 26th. Refer to [3] for more details.
*Credits*
This vulnerability was discovered and researched by Federico Muttis from
Core Security Technologies.
*Technical Description / Proof of Concept Code*
This is a Cross Site Scripting (XSS) vulnerability within vBulletin
community forum solution. In order to exploit this flaw the following
option needs to be activated:
'http://victim/vBulletin/profile.php?do=editoptions' (Show New Private
Message Notification Pop-Up enabled). There are many forums with this
option enabled by default for all new users.
The title is not being encoded in the following rendered HTML code:
/-----------
- -----------/
The variable '$newpm[title]' in 'install/vbulletin-style.xml' was
previously de-sanitized in 'global.php' and only slash-escaping survives:
/-----------
//
#############################################################################
// get new private message popup
$shownewpm = false;
if ($vbulletin->userinfo['pmpopup'] == 2 AND
$vbulletin->options['checknewpm'] AND $vbulletin->userinfo['userid'] AND
!defined('NOPMPOPUP'))
{
$userdm =& datamanager_init('User', $vbulletin, ERRTYPE_SILENT);
$userdm->set_existing($vbulletin->userinfo);
$userdm->set('pmpopup', 1);
$userdm->save(true, 'pmpopup'); // 'pmpopup' tells db_update to issue a
shutdownquery of the same name
unset($userdm);
if (THIS_SCRIPT != 'private' AND THIS_SCRIPT != 'login')
{
$newpm = $db->query_first("
SELECT pm.pmid, title, fromusername
FROM " . TABLE_PREFIX . "pmtext AS pmtext
LEFT JOIN " . TABLE_PREFIX . "pm AS pm USING(pmtextid)
WHERE pm.userid = " . $vbulletin->userinfo['userid'] . "
AND pm.folderid = 0
ORDER BY dateline DESC
LIMIT 1");
$newpm['username'] addslashes_js(unhtmlspecialchars($newpm['fromusername'], true), '"');
$newpm['title'] = addslashes_js(unhtmlspecialchars($newpm['title'],
true), '"');
$shownewpm = true;
}
}
- -----------/
Which of course allows XSS attacks.
The 'alert' Proof of Concept (PoC) exploit would be to write a PM to the
user you want to attack with this subject:
/-----------
- -->
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
