20050917-vbulletin-3.0.8.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
---------------------------------------------------  
| BuHa Security-Advisory #3 | Sep 17th, 2005 |  
| feat. SePro Bugtraq | |  
---------------------------------------------------  
| Vendor | vBulletin |  
| URL | http://vbulletin.com/ |  
| Version | <= vBulletin 3.0.9 |  
| Risk | Moderate (SQL-Injection and |  
| | Arbitrary File Upload) |  
---------------------------------------------------  
  
First of all I want to express my disappointment with the behavior of  
the vbulletin.com and vbulletin-germany.com team and the missing  
cooperation. We sent them a mail with a list of security issues and they  
immediately answered that they are going to look into these bugs. We  
never got another mail with information about the problems they fixed -  
they also did not inform us about the release of the latest version  
which *should* address all known security problems. So it comes as no  
surprise that they missed to fix a lot of moderate security bugs in the  
latest version. They did not consider it necessary to release *any*  
information about patched security problems in their announcement [1]  
for the current version too. Some thanks/credits for our trouble/time  
with the audit would have been a nice gesture but who cares.  
  
o Description:  
=============  
  
vBulletin is a powerful, scalable and fully customizable forums package  
for your web site. It has been written using the Web's quickest-growing  
scripting language; PHP, and is complemented with a highly efficient  
and ultra fast back-end database engine built using MySQL.  
  
Visit http://vbulletin.com/ for detailed information.  
  
o SQL-Injection: (Fixed in vB 3.0.9)  
===============  
  
> /joinrequests.php:  
POST: <do=processjoinrequests&usergroupid=22&request[[SQL-Injection]]=0>  
  
> /admincp/user.php:  
GET: <do=find&orderby=username&limitnumber=[SQL-Injection]>  
GET: <do=find&orderby=username&limitstart=[SQL-Injection]>  
  
> /admincp/usertitle.php:  
GET: <do=edit&usertitleid=0XF>  
  
> /admincp/usertools.php:  
GET: <do=pmuserstats&ids=0XF>  
  
o XSS: (Fixed in vB 3.0.9)  
=====  
  
> /admincp/css.php:  
GET: <do=doedit&dostyleid=1&group=[XSS]>  
  
> /admincp/index.php:  
GET: <redirect=[XSS]>  
  
> /admincp/user.php:  
GET: <do=emailpassword&email=[XSS]>  
  
> /admincp/language.php:  
GET: <do=rebuild&goto=[XSS]>  
  
> /admincp/modlog.php:  
GET: <do=view&orderby=[XSS]>  
  
> /admincp/template.php:  
GET: <do=colorconverter&hex=[XSS]>  
GET: <do=colorconverter&rgb=[XSS]>  
GET: <do=modify&expandset=[XSS]  
  
o Arbitrary File Upload:  
=======================  
  
An user with access to administrator panel (e.g. (Co)Administrator) and  
the privilege to add avatars/icons/smileys is able to upload arbitrary  
files. An attacker is able to gain the ability to execute commands under  
the context of the web server.  
  
> /admincp/image.php:  
POST: <do=upload&table=avatar>  
POST: <do=upload&table=icon>  
POST: <do=upload&table=smilie>  
  
This issue is not addressed in vBulletin 3.0.9.  
  
o Unpatched Bugs:  
================  
  
> /modcp/announcement.php:  
POST: <do=update&announcementid=1&start=24-07-05&end=30-07-05  
&announcement[0]=[SQL-Injection]>  
  
> /modcp/user.php:  
GET: <do=avatar&userid=0XF>  
  
There are still a lot of security related bugs in the administrator  
panel of the vBulletin software. An authorized user could elevate his  
privileges and read sensitive data.  
  
> /admincp/admincalendar.php:  
POST: <do=update&calendarid=1&calendar[daterange]=1970-2030&  
calendar[0]=[SQL-Injection]>  
POST: <do=updatemod&moderatorid=1&moderator[calendarid]=0XF>  
  
> /admincp/cronlog.php:  
POST: <do=doprunelog&cronid=0XF>  
POST: <do=prunelog&cronid=0XF>  
  
> /admincp/email.php:  
POST: <do=makelist&user[usergroupid][0]=[SQL-Injection]>  
  
> /admincp/help.php:  
POST: <do=doedit&help[script]=1&help[0]=[SQL-Injection]>  
  
> /admincp/language.php:  
POST: <do=update&rvt[0]=[SQL-Injection]>  
  
> /admincp/phrase.php:  
POST: <do=completeorphans&keep[0]=[SQL-Injection]>  
  
> /admincp/usertools.php:  
POST: <do=updateprofilepic>  
  
Even a privileged user should not be able to add posts, titles,  
announcements etc. with HTML/JavaScript-Code in it.  
  
> Not properly filtered: (XSS)  
</admincp/announcement.php>  
</admincp/admincalendar.php>  
</admincp/bbcode.php>  
</admincp/cronadmin.php>  
</admincp/email.php?do=genlist>  
</admincp/faq.php?do=add>  
</admincp/forum.php?do=add>  
</admincp/image.php?do=add&table=avatar/icon/smilie>  
</admincp/language.php>  
</admincp/ranks.php?do=add>  
</admincp/replacement.php?do=add>  
</admincp/replacement.php?do=edit>  
</admincp/template.php?do=addstyle>  
</admincp/template.php?do=edit>  
</admincp/usergroup.php?do=add>  
</admincp/usertitle.php>  
  
o Disclosure Timeline:  
=====================  
  
20 Jul 05 - Security flaws discovered.  
29 Jul 05 - Vendor contacted.  
09 Sep 05 - Vendor released 'bugfixed' version.  
17 Sep 05 - Public release.  
  
o Solution:  
==========  
  
Upgrade to vBulletin 3.0.9 [1] to fix some of the issues mentioned in  
this advisory. Maybe the next vBulletin release fixes the still  
unpatched security related bugs.  
  
o Credits:  
=========  
  
deluxe <[email protected]>  
  
- ---  
  
Thomas Waldegger <[email protected]>  
BuHa-Security Community - http://buha.info/board/  
  
If you have questions, suggestions or criticism about the advisory feel  
free to send me a mail. The address '[email protected]' is more a  
spam address than a regular mail address therefore it's possible that I  
ignore some mails. Please use the contact details at  
http://morph3us.org/ to contact me.  
  
Greets fly out to cyrus-tc, destructor, nait, rhy (you Pongo-Pongo king,  
eh!1! :oP), trappy and all members of BuHa.  
  
Advisory online: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt  
  
[1] http://www.vbulletin.com/forum/showthread.php?p=961409  
  
- --  
M$ is not the answer. M$ is the question. The answer is NO!!1!  
BuHa-Security Community: http://buha.info/board/  
  
-----BEGIN PGP SIGNATURE-----  
Version: n/a  
Comment: http://morph3us.org/  
  
iD8DBQFDLTrpUXI2fw/BTWcRAjAMAKCqHE41PnbTjdGl65R8H7Ju7B0CBwCgp/dd  
+nRt0ghXoiA88M54F/MIy1U=  
=zg38  
-----END PGP SIGNATURE-----  
`