Bugtraq mailing list archives
[BuHa-Security] Multiple vulnerabilities in (admincp/modcp of) vBulletin 3.0.7
From: bugtraq () morph3us org
Date: 20 Sep 2005 21:34:07 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 --------------------------------------------------- | BuHa Security-Advisory #2 | Sep 17th, 2005 | | feat. SePro Bugtraq | | --------------------------------------------------- | Vendor | vBulletin | | URL | http://vbulletin.com/ | | Version | <= vBulletin 3.0.7 | | Risk | Moderate (SQL-Injection and | | | Arbitrary File Upload) | --------------------------------------------------- The vBulletin team released version 3.0.8 of their software at the same time as we dropped them a mail about several security related issues. They already had addressed a couple of problems we mentioned in our mail but they did not fix all named security issues so we decided to release two advisories - one for the version 3.0.8 and the other one for the latest version 3.0.9. Unfortunately the vBulletin team did not consider it necessary to release *any* information about security problems in their software to the public not to mention send us details about the bugs they fixed therefore we have to determine the differences between the versions on our own. o Description: ============= vBulletin is a powerful, scalable and fully customizable forums package for your web site. It has been written using the Web's quickest-growing scripting language; PHP, and is complemented with a highly efficient and ultra fast back-end database engine built using MySQL. [...] Visit http://vbulletin.com/ for detailed information. o SQL-Injection: ===============
/joinrequests.php:
POST: <do=processjoinrequests&usergroupid=22&request[[SQL-Injection]]=0> A moderator is able to read sensitive data like Private Messages, Password Hashes etc.
/modcp/announcement.php:
POST: <do=update&announcementid=1&start=24-07-05&end=30-07-05 &announcement[0]=[SQL-Injection]>
/modcp/thread.php:
POST: <do=dothreads&thread[forumid]=0XF>
POST: <do=dothreadssel&criteria=a:1:{s:7:"forumid";s:5:"aaaa'";}>
/modcp/user.php:
GET: <do=avatar&userid=0XF> There are a lot of security related bugs in the administrator panel of the vBulletin software. An authorized user could elevate his privileges and read sensitive data.
/admincp/admincalendar.php:
GET: <do=addcustom&calendarcustomfieldid=[SQL-Injection]> GET: <do=addmod&calendarid=[SQL-Injection]> GET: <do=addmod&calendarid=1&moderatorid=[SQL-Injection]> GET: <do=deletecustom&calendarcustomfieldid=[SQL-Injection]> POST: <do=doremoveholiday&holidayid=[SQL-Injection]> GET: <do=edit&calendarid=[SQL-Injection]> POST: <do=kill&calendarid=[SQL-Injection]> POST: <do=killmod&$calendarmoderatorid=[SQL-Injection]> GET: <do=remove&calendarid=[SQL-Injection]> POST: <do=removemod&moderatorid=[SQL-Injection]> POST: <do=saveholiday&holidayinfo[title]=sepro&holidayid=0XF> POST: <do=update&calendar[daterange]=2002-2008&calendarid=0XF> GET: <do=updateholiday&holidayid=0XF> POST: <do=update&calendarid=1&calendar[daterange]=1970-2030& calendar[0]=[SQL-Injection]> POST: <do=updatemod&calendarid=1&moderatorid=[SQL-Injection]> POST: <do=updatemod&moderatorid=1&moderator[calendarid]=[SQL-Injection]>
/admincp/cronlog.php:
POST: <do=doprunelog&cronid=0XF> POST: <do=prunelog&cronid=0XF>
/admincp/email.php:
POST: <do=makelist&user[usergroupid][0]=[SQL-Injection]>
/admincp/help.php:
POST: <do=doedit&help[script]=1&help[0]=[SQL-Injection]>
/admincp/user.php:
GET: <do=find&orderby=username&limitnumber=[SQL-Injection]> GET: <do=find&orderby=username&limitstart=[SQL-Injection]>
/admincp/usertitle.php:
GET: <do=edit&usertitleid=0XF> GET: <do=pmuserstats&ids=0XF>
/admincp/language.php:
POST: <do=update&rvt[0]=[SQL-Injection]>
/admincp/phrase.php:
POST: <do=completeorphans&keep[0]=[SQL-Injection]>
/admincp/template.php:
GET: <do=editstyle&dostyleid=[SQL-Injection]> GET: <do=editstyle&dostyleid=[SQL-Injection]> POST: <do=revertall&dostyleid=[SQL-Injection]>
/admincp/thread.php::
POST: <do=dothreads&thread[forumid]=0XF>
/admincp/usertools.php:
POST: <do=updateprofilepic> Not included in standard vBulletin release:
/admincp/vbugs_admin.php:
GET: <do=editseverity&vbug_severityid=[SQL-Injection]> GET: <do=removeseverity&vbug_severityid=[SQL-Injection]> GET: <do=updateseverity&vbug_severityid=[SQL-Injection]> o Arbitrary File Upload: ======================= Any user with access to administrator panel (e.g. (Co)Administrator) and the privilege to add avatars/icons/smileys is able to upload arbitrary files. An attacker is able to gain the ability to execute commands under the context of the web server.
/admincp/image.php:
POST: <do=upload&table=avatar> POST: <do=upload&table=icon> POST: <do=upload&table=smilie> o XSS: =====
/modcp/index.php:
GET: <do=frames&loc=[XSS]>
/modcp/user.php:
GET: <do=gethost&ip=[XSS]>
/admincp/css.php:
GET: <do=doedit&dostyleid=1&group=[XSS]>
/admincp/index.php:
GET: <redirect=[XSS]> GET: <do=frames&loc=[XSS]>
/admincp/user.php:
GET: <do=emailpassword&email=[XSS]>
/admincp/usertitle.php:
GET: <do=gethost&ip=[XSS]>
/admincp/language.php:
GET: <do=rebuild&goto=[XSS]>
/admincp/modlog.php:
GET: <do=view&orderby=[XSS]>
/admincp/template.php:
GET: <do=colorconverter&hex=[XSS]> GET: <do=colorconverter&rgb=[XSS]> GET: <do=modify&expandset=[XSS]> Not included in standard vBulletin release:
/admincp/vbugs_admin.php:
GET: <do=updateseverity&vbug_severityid=1%20/*[XSS]> Even a privileged user should not be able to add posts, titles, announcements etc. with HTML/JavaScript-Code in it.
Not properly filtered: (XSS)
</admincp/announcement.php> </admincp/admincalendar.php> </admincp/bbcode.php> </admincp/cronadmin.php> </admincp/email.php?do=genlist> </admincp/faq.php?do=add> </admincp/forum.php?do=add> </admincp/image.php?do=add&table=avatar/icon/smilie> </admincp/language.php> </admincp/ranks.php?do=add> </admincp/replacement.php?do=add> </admincp/replacement.php?do=edit> </admincp/template.php?do=addstyle> </admincp/template.php?do=edit> </admincp/usergroup.php?do=add> </admincp/usertitle.php> o Disclosure Timeline: ===================== 20 Jul 05 - Security flaws discovered. 29 Jul 05 - Vendor contacted. 29 Jul 05 - Vendor released 'bugfixed' version. 17 Sep 05 - Public release. o Solution: ========== Upgrade to vBulletin 3.0.9 [1] o Credits: ========= deluxe <deluxe () security-project org> Security-Project - http://security-project.org/projects/board/ - --- Thomas Waldegger <bugtraq () morph3us org> BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq () morph3us org' is more a spam address than a regular mail address therefore it's possible that I ignore some mails. Please use the contact details at http://morph3us.org/ to contact me. Greets fly out to cyrus-tc, destructor, nait, rhy (you Pongo-Pongo king, eh!1! :oP), trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/2005...letin-3.0.7.txt [1] http://www.vbulletin.com/forum/showthread.php?p=961409 - -- M$ is not the answer. M$ is the question. The answer is NO!!1! BuHa-Security Community: http://buha.info/board/ -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFDLTk4UXI2fw/BTWcRAq08AKCIrmD0tcZAZgmMKaR1mmAbn22nVgCeI8MB zDZY3UOHZ5dEUFeFOd+MNhk= =5j2Y -----END PGP SIGNATURE-----
Current thread:
- [BuHa-Security] Multiple vulnerabilities in (admincp/modcp of) vBulletin 3.0.7 bugtraq (Sep 21)