ID SECURITYVULNS:DOC:3661 Type securityvulns Reporter Securityvulns Modified 2002-10-19T00:00:00
Description
.:: vBulletin XSS Security Bug
vBulletin is a powerful and widely used bulletin board system, based on
PHP language and MySQL database. One of its features is the usage of
templates to modify the boards look. I discovered lately a Cross-Site
Scripting vulnerability that would attackers to inject maleficent codes
and execute it on the clients browser.
Vulnerable Versions:
Jelsoft vBulletin 2.2.8.
Jelsoft vBulletin 2.2.7.
Jelsoft vBulletin 2.2.6.
Jelsoft vBulletin 2.2.5.
Jelsoft vBulletin 2.2.4.
Jelsoft vBulletin 2.2.3.
Jelsoft vBulletin 2.2.2.
Jelsoft vBulletin 2.2.1.
Jelsoft vBulletin 2.2.0.
Jelsoft vBulletin 2.0.2.
Jelsoft vBulletin 2.0.1.
Jelsoft vBulletin 2.0.0.
Jelsoft vBulletin 2.0.0 Candidate 3.
Jelsoft vBulletin 2.0.0 Candidate 2.
Jelsoft vBulletin 2.0.0 Candidate 1.
Jelsoft vBulletin 2.0.0 Beta 5.
Jelsoft vBulletin 2.0.0 Beta 4.
Jelsoft vBulletin 2.0.0 Beta 4.1.
Jelsoft vBulletin 2.0.0 Beta 3.
Jelsoft vBulletin 2.0.0 Beta 2.
Jelsoft vBulletin 2.0.0 Beta 1.
Jelsoft vBulletin 2.0.0 Alpha.
Details:
In global.php there is a variable [$scriptpath], the value of it is the
referred URL that the client came from. Move on to admin/functions.php,
in show_nopermission function the $scriptpath is called as a global
variable. The content of the variable gets printed in the
error_nopermission_loggedin template without filtering it. So if we pass
some tags and script codes in the URL and refresh the page it will be
printed in the no permission template. The same thing with $url variable
which print its contents in many templates.
Exploit:
Note: Tested on Microsoft Internet Explorer 6.0 and vBulletin.com:
- Go to usercp.php?s=[Session ID]"><Script>alert
(document.cookie);</Script> [You can use it wherever
error_nopermission_loggedin get printed].
- A pop-up window will appear and you'll receive an error message.
- Then log in.
- Go back to the previous pages where you left the login form.
- Then the pop-up window will appear again containing the User ID and
Password Hash.
The same thing with $url templates.
Solution:
Forum administrator can add some codes that will check the referred
URL and filter its inputs or upgrade to vBulletin 3.0.
Links:
Http://www.vBulletin.com
{"id": "SECURITYVULNS:DOC:3661", "bulletinFamily": "software", "title": "vBulletin XSS Security Bug", "description": "\r\n\r\n.:: vBulletin XSS Security Bug\r\n\r\nvBulletin is a powerful and widely used bulletin board system, based on \r\nPHP language and MySQL database. One of its features is the usage of \r\ntemplates to modify the boards look. I discovered lately a Cross-Site \r\nScripting vulnerability that would attackers to inject maleficent codes \r\nand execute it on the clients browser.\r\n\r\n+ Vulnerable Versions:\r\n\r\n - Jelsoft vBulletin 2.2.8.\r\n - Jelsoft vBulletin 2.2.7.\r\n - Jelsoft vBulletin 2.2.6.\r\n - Jelsoft vBulletin 2.2.5.\r\n - Jelsoft vBulletin 2.2.4.\r\n - Jelsoft vBulletin 2.2.3.\r\n - Jelsoft vBulletin 2.2.2.\r\n - Jelsoft vBulletin 2.2.1.\r\n - Jelsoft vBulletin 2.2.0.\r\n - Jelsoft vBulletin 2.0.2.\r\n - Jelsoft vBulletin 2.0.1.\r\n - Jelsoft vBulletin 2.0.0.\r\n - Jelsoft vBulletin 2.0.0 Candidate 3.\r\n - Jelsoft vBulletin 2.0.0 Candidate 2.\r\n - Jelsoft vBulletin 2.0.0 Candidate 1.\r\n - Jelsoft vBulletin 2.0.0 Beta 5.\r\n - Jelsoft vBulletin 2.0.0 Beta 4.\r\n - Jelsoft vBulletin 2.0.0 Beta 4.1.\r\n - Jelsoft vBulletin 2.0.0 Beta 3.\r\n - Jelsoft vBulletin 2.0.0 Beta 2.\r\n - Jelsoft vBulletin 2.0.0 Beta 1.\r\n - Jelsoft vBulletin 2.0.0 Alpha.\r\n\r\n+ Details:\r\n\r\nIn global.php there is a variable [$scriptpath], the value of it is the \r\nreferred URL that the client came from. Move on to admin/functions.php, \r\nin show_nopermission function the $scriptpath is called as a global \r\nvariable. The content of the variable gets printed in the \r\nerror_nopermission_loggedin template without filtering it. So if we pass \r\nsome tags and script codes in the URL and refresh the page it will be \r\nprinted in the no permission template. The same thing with $url variable \r\nwhich print its contents in many templates.\r\n\r\n+ Exploit:\r\n\r\nNote: Tested on Microsoft Internet Explorer 6.0 and vBulletin.com:\r\n\r\n - Go to usercp.php?s=[Session ID]">&lt;Script&gt;alert\r\n(document.cookie);&lt;/Script&gt; [You can use it wherever \r\nerror_nopermission_loggedin get printed].\r\n - A pop-up window will appear and you'll receive an error message.\r\n - Then log in.\r\n - Go back to the previous pages where you left the login form.\r\n - Then the pop-up window will appear again containing the User ID and \r\nPassword Hash.\r\n\r\nThe same thing with $url templates.\r\n\r\n+ Solution:\r\n\r\n - Forum administrator can add some codes that will check the referred \r\nURL and filter its inputs or upgrade to vBulletin 3.0.\r\n\r\n+ Links:\r\n\r\n - Http://www.vBulletin.com", "published": "2002-10-19T00:00:00", "modified": "2002-10-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:3661", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:06", "edition": 1, "viewCount": 1, "enchantments": {"score": {"value": 5.9, "vector": "NONE", "modified": "2018-08-31T11:10:06", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB4011200"]}, {"type": "nessus", "idList": ["FEDORA_2020-A832C215BF.NASL", "DEBIAN_DSA-3661.NASL", "REDHAT-RHSA-2016-0070.NASL", "UBUNTU_USN-3661-1.NASL", "FEDORA_2020-261449D821.NASL"]}, {"type": "cve", "idList": ["CVE-2018-3661", "CVE-2014-2595", "CVE-2019-3661", "CVE-2010-3661", "CVE-2015-9286", "CVE-2016-7143", "CVE-2008-7273", "CVE-2018-8013", "CVE-2008-7272"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310843764"]}, {"type": "vulnerlab", "idList": ["VULNERLAB:2133"]}, {"type": "openbugbounty", "idList": ["OBB:625561"]}, {"type": "ubuntu", "idList": ["USN-3661-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-29240"]}], "modified": "2018-08-31T11:10:06", "rev": 2}, "vulnersScore": 5.9}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-02-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **forflatebelly[.]casa** in [RST Threat Feed](https://rstcloud.net/profeed) with score **42**.\n First seen: 2021-02-15T03:00:00, Last seen: 2021-02-25T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 192[.]227.130.35\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-15T00:00:00", "id": "RST:3B926B08-942B-3661-8ABA-11E948394A81", "href": "", "published": "2021-02-26T00:00:00", "title": "RST Threat feed. IOC: forflatebelly.casa", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **edpwohr[.]tk** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-02-25T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 195[.]20.40.62\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:57C7D01B-4BA2-3661-9C51-21013B656BF1", "href": "", "published": "2021-02-26T00:00:00", "title": "RST Threat feed. IOC: edpwohr.tk", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **an-arnayi[.]kz** in [RST Threat Feed](https://rstcloud.net/profeed) with score **23**.\n First seen: 2020-12-29T03:00:00, Last seen: 2021-02-25T03:00:00.\n IOC tags: **malware**.\nDomain has DNS A records: 195[.]210.46.94\nWhois:\n Created: 2019-11-29 05:21:40, \n Registrar: unknown, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-29T00:00:00", "id": "RST:48CF4FD7-5180-3661-8DFB-962038221F48", "href": "", "published": "2021-02-26T00:00:00", "title": "RST Threat feed. IOC: an-arnayi.kz", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **blablacar[.]m-payorder.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **26**.\n First seen: 2020-12-28T03:00:00, Last seen: 2021-02-25T03:00:00.\n IOC tags: **phishing**.\nDomain has DNS A records: 95[.]216.64.168,95.216.45.183,95.216.43.177\nWhois:\n Created: 2020-12-28 15:33:26, \n Registrar: REGISTRAR OF DOMAIN NAMES REGRU LLC, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-28T00:00:00", "id": "RST:1F86E33C-3661-3A44-8711-A46B0305671B", "href": "", "published": "2021-02-26T00:00:00", "title": "RST Threat feed. IOC: blablacar.m-payorder.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **cad-sum[.]pw** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-02-25T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:CE6058B4-5CDB-3661-B9F5-C90B30D6CD59", "href": "", "published": "2021-02-26T00:00:00", "title": "RST Threat feed. IOC: cad-sum.pw", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **carlaxylinaluz[.]in** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-02-25T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:60DDE94A-593B-3661-A2A7-490A616E07F1", "href": "", "published": "2021-02-26T00:00:00", "title": "RST Threat feed. IOC: carlaxylinaluz.in", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **cdek-deliverry[.]ru** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2020-10-15T03:00:00, Last seen: 2021-02-25T03:00:00.\n IOC tags: **phishing**.\nWhois:\n Created: 2020-10-15 12:16:56, \n Registrar: REGRURU, \n Registrant: Private Person.\nIOC could be a **False Positive** (Domain not resolved, but Whois records found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-10-15T00:00:00", "id": "RST:833658C2-B6D9-3661-8296-ED6FD8675B2F", "href": "", "published": "2021-02-26T00:00:00", "title": "RST Threat feed. IOC: cdek-deliverry.ru", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **cdektracking[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **36**.\n First seen: 2021-01-22T03:00:00, Last seen: 2021-02-25T03:00:00.\n IOC tags: **phishing**.\nDomain has DNS A records: 176[.]96.238.175\nWhois:\n Created: 2021-01-22 06:10:32, \n Registrar: REGISTRAR OF DOMAIN NAMES REGRU LLC, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-22T00:00:00", "id": "RST:54534F8E-953D-3661-BEF4-83A5D063E757", "href": "", "published": "2021-02-26T00:00:00", "title": "RST Threat feed. IOC: cdektracking.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **aliansari[.]net** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-02-25T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 95[.]216.33.236\nWhois:\n Created: 2020-11-21 05:57:50, \n Registrar: unknown, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:843E5DE0-831E-3661-81BA-B69B8E37EBD6", "href": "", "published": "2021-02-26T00:00:00", "title": "RST Threat feed. IOC: aliansari.net", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **69hack[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **4**.\n First seen: 2020-05-16T03:00:00, Last seen: 2021-02-25T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 44[.]233.0.10\nWhois:\n Created: 2020-05-04 02:36:10, \n Registrar: GoDaddycom LLC, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-05-16T00:00:00", "id": "RST:0D0E599A-843D-3661-80E4-78F5AFEE9F13", "href": "", "published": "2021-02-26T00:00:00", "title": "RST Threat feed. IOC: 69hack.com", "type": "rst", "cvss": {}}]}
