vBulletin 5.x / 4.x Persistent Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
  
Hash: SHA1  
  
  
  
CVE-2014-2021 - vBulletin 5.x/4.x - persistent XSS in AdminCP/ApiLog via  
xmlrpc API (post-auth)  
  
============================================================================  
====================  
  
  
  
Overview  
  
- --------  
  
  
  
date : 10/12/2014   
  
cvss : 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) base  
  
cwe : 79   
  
  
  
vendor : vBulletin Solutions  
  
product : vBulletin 4  
  
versions affected : latest 4.x and 5.x (to date); verified <= 4.2.2 ;  
<= 5.0.x  
  
* vBulletin 5.0.5 (verified)  
  
* vBulletin 4.2.2 (verified)   
  
* vBulletin 4.2.1 (verified)   
  
* vBulletin 4.2.0 PL2 (verified)   
  
  
  
exploitability :  
  
* remotely exploitable  
  
* requires authentication (apikey)  
  
* requires non-default features to be enabled (API interface,  
API-Logging)  
  
* requires user interaction to trigger exploit (admincp - admin  
views logs)  
  
  
  
patch availability (to date) : None  
  
  
  
  
  
Abstract  
  
- ---------  
  
vBulletin 4/5 does not properly sanitize client provided xmlrpc  
attributes (e.g. client name)  
  
allowing the remote xmlrpc client to inject code into the xmlrpc API  
logging page.   
  
Code is executed once an admin visits the API log page and clicks on the  
API clients name.  
  
  
  
risk: rather low - due to the fact that you the api key is required  
  
you can probably use CVE-2014-2023 to obtain the api key  
  
  
  
  
  
Details  
  
- --------  
  
  
  
vulnerable component:   
  
./admincp/apilog.php?do=viewclient  
  
apilog.php does not sanitize xmlrpc client provided data before passing  
it to  
  
print_label_row to generate the output page.  
  
  
  
  
  
Proof of Concept (PoC)  
  
- ----------------------  
  
  
  
see https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2021  
  
  
  
  
  
1) prerequesites  
  
1.1) enable API, generate API-key  
  
logon to AdminCP  
  
goto "vBulletin API"->"API-Key" and enable the API interface,  
generate key  
  
goto "vBulletin API"->"API-Log" and enable all API logging  
  
2) run PoC  
  
edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)  
  
run PoC, wait for SUCCESS! message  
  
3) trigger exploit  
  
logon to AdminCP  
  
goto "vBulletin API"->"API-Log" and hit "view"  
  
in search results click on "client name"  
  
the injected msgbox pops up  
  
  
  
  
  
Timeline  
  
- --------  
  
  
  
2014-01-14: initial vendor contact - no reply  
  
2014-01-24: vendor contact - no reply  
  
2014-10-13: public disclosure  
  
  
  
Contact  
  
- --------  
  
  
  
tintinweb - https://github.com/tintinweb/pub/cve-2013-2021  
  
  
  
  
  
(0x721427D8)  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIcBAEBAgAGBQJUPDfoAAoJEBgB43t1YjbLsu8P/1m8lGQGk8MwjsbpcHsEkfdD  
  
CPEivvYOUfQXQPas5iqTLmWGqJWFvpKm9pHX4+Iygq3ogeAO7cmefSEvltX55uuF  
  
6LaikmhjYfJW1SutTKE375HGuBxRA2m1kuvBN2z2bY+yqDZXpKeO9Ho1YEYQJ79N  
  
Q6Urz8WWO41tUhEJ2APdB6BhXIulEBM7Xogy2qlFoKD4Z7vNCt7olNTpe7+gzJe2  
  
cZTiLMLMxndgkfb2evORcX/a9EdAeDPYvgQrmzmeUllZ24CK4C+JM2iOsRLSaIqf  
  
uvbwv4ZKvtlX0LuAYTEk9N1gvDYnxEwHiv7+hsVYpSxHSLS+Nk77mir/LnZxsW9A  
  
pz36AmavGekvi1hr7QYMLB/b4+TREeKKjA0XAf6eZbwDeNgSXLY2ptvY8Li+oRHL  
  
qYPkwrDHm57FjG4LRgsYGBdzi7ALW1nRfBuh1KAbklavXSHitVsBJhREX/YsJ12g  
  
ycbGqxkP4keSTqb61EHtW8hU41riPT5+XxhWgQRVVJvc3t5rp8ztzzTrbhsyz7PW  
  
CQ5bTSR1rks0MRHaoEm9SrVvITIBrhGHpCplqWOKiEcSSHr0Q4RBxB8jr3n1eR1R  
  
Nzzpp//PUBQazScCa3zJOrCrfOCJjmKPUZwqRRyook1hJRWj0IzVLVqUEUCuHCj9  
  
skeeueYa1iweiHwNgZdn  
  
=BO28  
  
-----END PGP SIGNATURE-----  
  
  
`