RE: vBulletin Security Vulnerability

["Scott MacVicar" <scott () vbulletin com>]

Hello,

The issue you are now reporting is for a completely different version. And
its not even the same problem. vBulletin 3 and vBulletin 2 are different
code bases and again the issue that you are trying to identify is not
present.

----------------------------
[root@devbox vb3b7]# grep -rna "regtype" *
install/vbulletin-style.xml:6866:<input type="hidden" name="regtype"
value="1" />
install/vbulletin-style.xml:7728:       <input type="hidden" name="regtype"
value="2" />
install/vbulletin-style.xml:12018:      <label for="rb_regtype_1"><input
type="radio" name="regtype" value="1" id="rb_regtype_1" checked="checked"
/><b>Standard</b> - Normal, full length registration form.</label><br />
install/vbulletin-style.xml:12019:      <label for="rb_regtype_2"><input
type="radio" name="regtype" value="2" id="rb_regtype_2" /><b>Quick</b> -
Shorter, but less option-filled registration form.</label><br />
install/vbulletin-style.xml:12094:      <label for="rb_regtype_1"><input
type="radio" name="regtype" value="1" id="rb_regtype_1" checked="checked"
/><b>Standard</b> - Normal, full length registration form.</label><br />
install/vbulletin-style.xml:12095:      <label for="rb_regtype_2"><input
type="radio" name="regtype" value="2" id="rb_regtype_2" /><b>Quick</b> -
Shorter, but less option-filled registration form.</label>
register.php:1302:      if ($_REQUEST['regtype'] == 2)
----------------------------

As you can see above the only time the variable regtype is reference is
within the register.php code and it's a comparison and not directly
outputted. The regtype was removed after Beta 7 for a new registration
method.

----------------------
Scott MacVicar
Developer, vBulletin

> -----Original Message-----
> From: Ferruh Mavituna [mailto:ferruh () mavituna com]
> Sent: 23 January 2004 05:07
> To: 'Kier Darby'; vuln-dev () securityfocus com
> Subject: RE: vBulletin Security Vulnerability
>
> Hello;
>
> This must be an option or something like that in new vBulletin, After 
> a small search on Google you can find all "vBulletin v3.0.0 Beta 7" 
> forums.
>
> --------------------------------------------------------------
> -------------
> "We can only assume that this vulnerability was found in a site 
> running code modified from that supplied by Jelsoft."
> --------------------------------------------------------------
> -------------
>
> Not "a site", most of them vulnerable. If you provide this 
> customization yes vBulletin is not vulnerable but "Jelsoft 
> customizations" are vulnerable.
>
> And most of these forums have register.php "Standard / Quick" 
> selection and
> "regtype" hidden field. 
>
> Almost %80 of your customers are vulnerable.
>
>
> Ferruh.Mavituna
> http://feruh.mavituna.com
> PGPKey : http://ferruh.mavituna.com/PGPKey.asc
>
> -----Original Message-----
> From: Kier Darby [mailto:kier () vbulletin com]
> Sent: Wednesday, January 21, 2004 10:36 PM
> To: vuln-dev () securityfocus com
> Subject: Re: vBulletin Security Vulnerability
>
> In-Reply-To: <20040120190824.GA4674 () natalya rebby com>
>
> No patch has been issued for this 'vulnerability' because no 
> vulnerability exists.
>
>
>
> There is no hidden field called "reg_site", nor any $reg_site variable 
> anywhere in the vBulletin 2 or vBulletin 3 source code or templates, 
> nor has it ever existed.
>
>
>
> We can only assume that this vulnerability was found in a site running 
> code modified from that supplied by Jelsoft.