TUCoPS :: Web BBS :: Frequently Exploited :: vbxss.txt

VBulletin Cross Site Scripting Bug

.:: vBulletin XSS Security Bug

vBulletin is a powerful and widely used bulletin board system, based on 

PHP language and MySQL database. One of its features is the usage of 

templates to modify the boards look. I discovered lately a Cross-Site 

Scripting vulnerability that would attackers to inject maleficent codes 

and execute it on the clients browser.

+ Vulnerable Versions:

    - Jelsoft vBulletin 2.2.8.

    - Jelsoft vBulletin 2.2.7.

    - Jelsoft vBulletin 2.2.6.

    - Jelsoft vBulletin 2.2.5.

    - Jelsoft vBulletin 2.2.4.

    - Jelsoft vBulletin 2.2.3.

    - Jelsoft vBulletin 2.2.2.

    - Jelsoft vBulletin 2.2.1.

    - Jelsoft vBulletin 2.2.0.

    - Jelsoft vBulletin 2.0.2.

    - Jelsoft vBulletin 2.0.1.

    - Jelsoft vBulletin 2.0.0.

    - Jelsoft vBulletin 2.0.0 Candidate 3.

    - Jelsoft vBulletin 2.0.0 Candidate 2.

    - Jelsoft vBulletin 2.0.0 Candidate 1.

    - Jelsoft vBulletin 2.0.0 Beta 5.

    - Jelsoft vBulletin 2.0.0 Beta 4.

    - Jelsoft vBulletin 2.0.0 Beta 4.1.

    - Jelsoft vBulletin 2.0.0 Beta 3.

    - Jelsoft vBulletin 2.0.0 Beta 2.

    - Jelsoft vBulletin 2.0.0 Beta 1.

    - Jelsoft vBulletin 2.0.0 Alpha.

+ Details:

In global.php there is a variable [$scriptpath], the value of it is the 

referred URL that the client came from. Move on to admin/functions.php, 

in show_nopermission function the $scriptpath is called as a global 

variable. The content of the variable gets printed in the 

error_nopermission_loggedin template without filtering it. So if we pass 

some tags and script codes in the URL and refresh the page it will be 

printed in the no permission template. The same thing with $url variable 

which print its contents in many templates.

+ Exploit:

Note: Tested on Microsoft Internet Explorer 6.0 and vBulletin.com:

    - Go to usercp.php?s=[Session ID]"><Script>alert

(document.cookie);</Script> [You can use it wherever 

error_nopermission_loggedin get printed].

    - A pop-up window will appear and you'll receive an error message.

    - Then log in.

    - Go back to the previous pages where you left the login form.

    - Then the pop-up window will appear again containing the User ID and 

Password Hash.

The same thing with $url templates.

+ Solution:

    - Forum administrator can add some codes that will check the referred 

URL and filter its inputs or upgrade to vBulletin 3.0.

+ Links:

    - Http://www.vBulletin.com

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH