Lucene search
Thomas WaldeggerPACKETSTORM:40167HistorySep 22, 2005 - 12:00 a.m.
20050917-vbulletin-3.0.8.txt
2005-09-2200:00:00
Thomas Waldegger
packetstormsecurity.com
37
`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
---------------------------------------------------
| BuHa Security-Advisory #3 | Sep 17th, 2005 |
| feat. SePro Bugtraq | |
---------------------------------------------------
| Vendor | vBulletin |
| URL | http://vbulletin.com/ |
| Version | <= vBulletin 3.0.9 |
| Risk | Moderate (SQL-Injection and |
| | Arbitrary File Upload) |
---------------------------------------------------
First of all I want to express my disappointment with the behavior of
the vbulletin.com and vbulletin-germany.com team and the missing
cooperation. We sent them a mail with a list of security issues and they
immediately answered that they are going to look into these bugs. We
never got another mail with information about the problems they fixed -
they also did not inform us about the release of the latest version
which *should* address all known security problems. So it comes as no
surprise that they missed to fix a lot of moderate security bugs in the
latest version. They did not consider it necessary to release *any*
information about patched security problems in their announcement [1]
for the current version too. Some thanks/credits for our trouble/time
with the audit would have been a nice gesture but who cares.
o Description:
=============
vBulletin is a powerful, scalable and fully customizable forums package
for your web site. It has been written using the Web's quickest-growing
scripting language; PHP, and is complemented with a highly efficient
and ultra fast back-end database engine built using MySQL.
Visit http://vbulletin.com/ for detailed information.
o SQL-Injection: (Fixed in vB 3.0.9)
===============
> /joinrequests.php:
POST: <do=processjoinrequests&usergroupid=22&request[[SQL-Injection]]=0>
> /admincp/user.php:
GET: <do=find&orderby=username&limitnumber=[SQL-Injection]>
GET: <do=find&orderby=username&limitstart=[SQL-Injection]>
> /admincp/usertitle.php:
GET: <do=edit&usertitleid=0XF>
> /admincp/usertools.php:
GET: <do=pmuserstats&ids=0XF>
o XSS: (Fixed in vB 3.0.9)
=====
> /admincp/css.php:
GET: <do=doedit&dostyleid=1&group=[XSS]>
> /admincp/index.php:
GET: <redirect=[XSS]>
> /admincp/user.php:
GET: <do=emailpassword&email=[XSS]>
> /admincp/language.php:
GET: <do=rebuild&goto=[XSS]>
> /admincp/modlog.php:
GET: <do=view&orderby=[XSS]>
> /admincp/template.php:
GET: <do=colorconverter&hex=[XSS]>
GET: <do=colorconverter&rgb=[XSS]>
GET: <do=modify&expandset=[XSS]
o Arbitrary File Upload:
=======================
An user with access to administrator panel (e.g. (Co)Administrator) and
the privilege to add avatars/icons/smileys is able to upload arbitrary
files. An attacker is able to gain the ability to execute commands under
the context of the web server.
> /admincp/image.php:
POST: <do=upload&table=avatar>
POST: <do=upload&table=icon>
POST: <do=upload&table=smilie>
This issue is not addressed in vBulletin 3.0.9.
o Unpatched Bugs:
================
> /modcp/announcement.php:
POST: <do=update&announcementid=1&start=24-07-05&end=30-07-05
&announcement[0]=[SQL-Injection]>
> /modcp/user.php:
GET: <do=avatar&userid=0XF>
There are still a lot of security related bugs in the administrator
panel of the vBulletin software. An authorized user could elevate his
privileges and read sensitive data.
> /admincp/admincalendar.php:
POST: <do=update&calendarid=1&calendar[daterange]=1970-2030&
calendar[0]=[SQL-Injection]>
POST: <do=updatemod&moderatorid=1&moderator[calendarid]=0XF>
> /admincp/cronlog.php:
POST: <do=doprunelog&cronid=0XF>
POST: <do=prunelog&cronid=0XF>
> /admincp/email.php:
POST: <do=makelist&user[usergroupid][0]=[SQL-Injection]>
> /admincp/help.php:
POST: <do=doedit&help[script]=1&help[0]=[SQL-Injection]>
> /admincp/language.php:
POST: <do=update&rvt[0]=[SQL-Injection]>
> /admincp/phrase.php:
POST: <do=completeorphans&keep[0]=[SQL-Injection]>
> /admincp/usertools.php:
POST: <do=updateprofilepic>
Even a privileged user should not be able to add posts, titles,
announcements etc. with HTML/JavaScript-Code in it.
> Not properly filtered: (XSS)
</admincp/announcement.php>
</admincp/admincalendar.php>
</admincp/bbcode.php>
</admincp/cronadmin.php>
</admincp/email.php?do=genlist>
</admincp/faq.php?do=add>
</admincp/forum.php?do=add>
</admincp/image.php?do=add&table=avatar/icon/smilie>
</admincp/language.php>
</admincp/ranks.php?do=add>
</admincp/replacement.php?do=add>
</admincp/replacement.php?do=edit>
</admincp/template.php?do=addstyle>
</admincp/template.php?do=edit>
</admincp/usergroup.php?do=add>
</admincp/usertitle.php>
o Disclosure Timeline:
=====================
20 Jul 05 - Security flaws discovered.
29 Jul 05 - Vendor contacted.
09 Sep 05 - Vendor released 'bugfixed' version.
17 Sep 05 - Public release.
o Solution:
==========
Upgrade to vBulletin 3.0.9 [1] to fix some of the issues mentioned in
this advisory. Maybe the next vBulletin release fixes the still
unpatched security related bugs.
o Credits:
=========
deluxe <[email protected]>
- ---
Thomas Waldegger <[email protected]>
BuHa-Security Community - http://buha.info/board/
If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[email protected]' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at
http://morph3us.org/ to contact me.
Greets fly out to cyrus-tc, destructor, nait, rhy (you Pongo-Pongo king,
eh!1! :oP), trappy and all members of BuHa.
Advisory online: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt
[1] http://www.vbulletin.com/forum/showthread.php?p=961409
- --
M$ is not the answer. M$ is the question. The answer is NO!!1!
BuHa-Security Community: http://buha.info/board/
-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/
iD8DBQFDLTrpUXI2fw/BTWcRAjAMAKCqHE41PnbTjdGl65R8H7Ju7B0CBwCgp/dd
+nRt0ghXoiA88M54F/MIy1U=
=zg38
-----END PGP SIGNATURE-----
`