-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

| BuHa Security-Advisory #3 | Sep 17th, 2005 |
| feat. SePro Bugtraq | |

| Vendor | vBulletin |
| URL | http://vbulletin.com/ |
| Version | <= vBulletin 3.0.9 |
| Risk | Moderate (SQL-Injection and |
| | Arbitrary File Upload) |

First of all I want to express my disappointment with the behavior of
the vbulletin.com and vbulletin-germany.com team and the missing
cooperation. We sent them a mail with a list of security issues and they
immediately answered that they are going to look into these bugs. We
never got another mail with information about the problems they fixed -
they also did not inform us about the release of the latest version
which should address all known security problems. So it comes as no
surprise that they missed to fix a lot of moderate security bugs in the
latest version. They did not consider it necessary to release any
information about patched security problems in their announcement [1]
for the current version too. Some thanks/credits for our trouble/time
with the audit would have been a nice gesture but who cares.

o Description:

vBulletin is a powerful, scalable and fully customizable forums package
for your web site. It has been written using the Web's quickest-growing
scripting language; PHP, and is complemented with a highly efficient
and ultra fast back-end database engine built using MySQL.

Visit http://vbulletin.com/ for detailed information.

o SQL-Injection: (Fixed in vB 3.0.9)

> /joinrequests.php:
POST: <do=processjoinrequests&usergroupid=22&request[[SQL-Injection]]=0>

> /admincp/user.php:
GET: <do=find&orderby=username&limitnumber=[SQL-Injection]>
GET: <do=find&orderby=username&limitstart=[SQL-Injection]>

> /admincp/usertitle.php:
GET: <do=edit&usertitleid=0XF>

> /admincp/usertools.php:
GET: <do=pmuserstats&ids=0XF>

o XSS: (Fixed in vB 3.0.9)

> /admincp/css.php:
GET: <do=doedit&dostyleid=1&group=[XSS]>

> /admincp/index.php:
GET: <redirect=[XSS]>

> /admincp/user.php:
GET: <do=emailpassword&email=[XSS]>

> /admincp/language.php:
GET: <do=rebuild&goto=[XSS]>

> /admincp/modlog.php:
GET: <do=view&orderby=[XSS]>

> /admincp/template.php:
GET: <do=colorconverter&hex=[XSS]>
GET: <do=colorconverter&rgb=[XSS]>
GET: <do=modify&expandset=[XSS]

o Arbitrary File Upload:

An user with access to administrator panel (e.g. (Co)Administrator) and
the privilege to add avatars/icons/smileys is able to upload arbitrary
files. An attacker is able to gain the ability to execute commands under
the context of the web server.

> /admincp/image.php:
POST: <do=upload&table=avatar>
POST: <do=upload&table=icon>
POST: <do=upload&table=smilie>

This issue is not addressed in vBulletin 3.0.9.

o Unpatched Bugs:

> /modcp/announcement.php:
POST: <do=update&announcementid=1&start=24-07-05&end=30-07-05
&announcement[0]=[SQL-Injection]>

> /modcp/user.php:
GET: <do=avatar&userid=0XF>

There are still a lot of security related bugs in the administrator
panel of the vBulletin software. An authorized user could elevate his
privileges and read sensitive data.

> /admincp/admincalendar.php:
POST: <do=update&calendarid=1&calendar[daterange]=1970-2030&
calendar[0]=[SQL-Injection]>
POST: <do=updatemod&moderatorid=1&moderator[calendarid]=0XF>

> /admincp/cronlog.php:
POST: <do=doprunelog&cronid=0XF>
POST: <do=prunelog&cronid=0XF>

> /admincp/email.php:
POST: <do=makelist&user[usergroupid][0]=[SQL-Injection]>

> /admincp/help.php:
POST: <do=doedit&help[script]=1&help[0]=[SQL-Injection]>

> /admincp/language.php:
POST: <do=update&rvt[0]=[SQL-Injection]>

> /admincp/phrase.php:
POST: <do=completeorphans&keep[0]=[SQL-Injection]>

> /admincp/usertools.php:
POST: <do=updateprofilepic>

Even a privileged user should not be able to add posts, titles,
announcements etc. with HTML/JavaScript-Code in it.

> Not properly filtered: (XSS)
</admincp/announcement.php>
</admincp/admincalendar.php>
</admincp/bbcode.php>
</admincp/cronadmin.php>
</admincp/email.php?do=genlist>
</admincp/faq.php?do=add>
</admincp/forum.php?do=add>
</admincp/image.php?do=add&table=avatar/icon/smilie>
</admincp/language.php>
</admincp/ranks.php?do=add>
</admincp/replacement.php?do=add>
</admincp/replacement.php?do=edit>
</admincp/template.php?do=addstyle>
</admincp/template.php?do=edit>
</admincp/usergroup.php?do=add>
</admincp/usertitle.php>

o Disclosure Timeline:

20 Jul 05 - Security flaws discovered.
29 Jul 05 - Vendor contacted.
09 Sep 05 - Vendor released 'bugfixed' version.
17 Sep 05 - Public release.

o Solution:

Upgrade to vBulletin 3.0.9 [1] to fix some of the issues mentioned in
this advisory. Maybe the next vBulletin release fixes the still
unpatched security related bugs.

o Credits:

deluxe <deluxe (at) security-project (dot) org [email concealed]>

---

Thomas Waldegger <bugtraq (at) morph3us (dot) org [email concealed]>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq (at) morph3us (dot) org [email concealed]' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy (you Pongo-Pongo king,
eh!1! :oP), trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt

[1] http://www.vbulletin.com/forum/showthread.php?p=961409

---

M$ is not the answer. M$ is the question. The answer is NO!!1!
BuHa-Security Community: http://buha.info/board/

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFDLTrpUXI2fw/BTWcRAjAMAKCqHE41PnbTjdGl65R8H7Ju7B0CBwCgp/dd
+nRt0ghXoiA88M54F/MIy1U=
=zg38
-----END PGP SIGNATURE-----