[BuHa-Security] Multiple vulnerabilities in (admincp/modcp of) vBulletin 3.0.8/9

Type securityvulns
Reporter Securityvulns
Modified 2005-09-21T00:00:00


-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 --------------------------------------------------- | BuHa Security-Advisory #3 | Sep 17th, 2005 | | feat. SePro Bugtraq | | --------------------------------------------------- | Vendor | vBulletin | | URL | http://vbulletin.com/ | | Version | <= vBulletin 3.0.9 | | Risk | Moderate (SQL-Injection and | | | Arbitrary File Upload) | ---------------------------------------------------

First of all I want to express my disappointment with the behavior of the vbulletin.com and vbulletin-germany.com team and the missing cooperation. We sent them a mail with a list of security issues and they immediately answered that they are going to look into these bugs. We never got another mail with information about the problems they fixed - they also did not inform us about the release of the latest version which should address all known security problems. So it comes as no surprise that they missed to fix a lot of moderate security bugs in the latest version. They did not consider it necessary to release any information about patched security problems in their announcement [1] for the current version too. Some thanks/credits for our trouble/time with the audit would have been a nice gesture but who cares.

o Description:

vBulletin is a powerful, scalable and fully customizable forums package for your web site. It has been written using the Web's quickest-growing scripting language; PHP, and is complemented with a highly efficient and ultra fast back-end database engine built using MySQL.

Visit http://vbulletin.com/ for detailed information.

o SQL-Injection: (Fixed in vB 3.0.9)

> /joinrequests.php: POST: <do=processjoinrequests&usergroupid=22&request[[SQL-Injection]]=0>

> /admincp/user.php: GET: <do=find&orderby=username&limitnumber=[SQL-Injection]> GET: <do=find&orderby=username&limitstart=[SQL-Injection]>

> /admincp/usertitle.php: GET: <do=edit&usertitleid=0XF>

> /admincp/usertools.php: GET: <do=pmuserstats&ids=0XF>

o XSS: (Fixed in vB 3.0.9)

> /admincp/css.php: GET: <do=doedit&dostyleid=1&group=[XSS]>

> /admincp/index.php: GET: <redirect=[XSS]>

> /admincp/user.php: GET: <do=emailpassword&email=[XSS]>

> /admincp/language.php: GET: <do=rebuild&goto=[XSS]>

> /admincp/modlog.php: GET: <do=view&orderby=[XSS]>

> /admincp/template.php: GET: <do=colorconverter&hex=[XSS]> GET: <do=colorconverter&rgb=[XSS]> GET: <do=modify&expandset=[XSS]

o Arbitrary File Upload:

An user with access to administrator panel (e.g. (Co)Administrator) and the privilege to add avatars/icons/smileys is able to upload arbitrary files. An attacker is able to gain the ability to execute commands under the context of the web server.

> /admincp/image.php: POST: <do=upload&table=avatar> POST: <do=upload&table=icon> POST: <do=upload&table=smilie>

This issue is not addressed in vBulletin 3.0.9.

o Unpatched Bugs:

> /modcp/announcement.php: POST: <do=update&announcementid=1&start=24-07-05&end=30-07-05 &announcement[0]=[SQL-Injection]>

> /modcp/user.php: GET: <do=avatar&userid=0XF>

There are still a lot of security related bugs in the administrator panel of the vBulletin software. An authorized user could elevate his privileges and read sensitive data.

> /admincp/admincalendar.php: POST: <do=update&calendarid=1&calendar[daterange]=1970-2030& calendar[0]=[SQL-Injection]> POST: <do=updatemod&moderatorid=1&moderator[calendarid]=0XF>

> /admincp/cronlog.php: POST: <do=doprunelog&cronid=0XF> POST: <do=prunelog&cronid=0XF>

> /admincp/email.php: POST: <do=makelist&user[usergroupid][0]=[SQL-Injection]>

> /admincp/help.php: POST: <do=doedit&help[script]=1&help[0]=[SQL-Injection]>

> /admincp/language.php: POST: <do=update&rvt[0]=[SQL-Injection]>

> /admincp/phrase.php: POST: <do=completeorphans&keep[0]=[SQL-Injection]>

> /admincp/usertools.php: POST: <do=updateprofilepic>

Even a privileged user should not be able to add posts, titles, announcements etc. with HTML/JavaScript-Code in it.

> Not properly filtered: (XSS) </admincp/announcement.php> </admincp/admincalendar.php> </admincp/bbcode.php> </admincp/cronadmin.php> </admincp/email.php?do=genlist> </admincp/faq.php?do=add> </admincp/forum.php?do=add> </admincp/image.php?do=add&table=avatar/icon/smilie> </admincp/language.php> </admincp/ranks.php?do=add> </admincp/replacement.php?do=add> </admincp/replacement.php?do=edit> </admincp/template.php?do=addstyle> </admincp/template.php?do=edit> </admincp/usergroup.php?do=add> </admincp/usertitle.php>

o Disclosure Timeline:

20 Jul 05 - Security flaws discovered. 29 Jul 05 - Vendor contacted. 09 Sep 05 - Vendor released 'bugfixed' version. 17 Sep 05 - Public release.

o Solution:

Upgrade to vBulletin 3.0.9 [1] to fix some of the issues mentioned in this advisory. Maybe the next vBulletin release fixes the still unpatched security related bugs.

o Credits:

deluxe <deluxe (at) security-project (dot) org [email concealed]>

Thomas Waldegger <bugtraq (at) morph3us (dot) org [email concealed]> BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq (at) morph3us (dot) org [email concealed]' is more a spam address than a regular mail address therefore it's possible that I ignore some mails. Please use the contact details at http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy (you Pongo-Pongo king, eh!1! :oP), trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt

[1] http://www.vbulletin.com/forum/showthread.php?p=961409

M$ is not the answer. M$ is the question. The answer is NO!!1! BuHa-Security Community: http://buha.info/board/

-----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/

iD8DBQFDLTrpUXI2fw/BTWcRAjAMAKCqHE41PnbTjdGl65R8H7Ju7B0CBwCgp/dd +nRt0ghXoiA88M54F/MIy1U= =zg38 -----END PGP SIGNATURE-----