vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Html Injection (https://vborg.vbsupport.ru/showthread.php?t=104266)

fatalsex 01-02-2006 05:26 PM

Html Injection
 
Html_Injection in vBulletin 3.5.2

-------

KAPDA New advisory

Vendor: http://www.vbulletin.com
Vulnerable Version: 3.5.2 (prior versions also may be affected)
Bug: Html_Injection (Second order Cross_Site_Scripting)
Exploitation: Remote with browser

Description:
--------------------
vBulletin is a powerful, scalable and fully customizable forums package. It has been written using the Web's quickest-growing scripting language; PHP, and is complemented with a highly efficient and ultra fast back-end database engine built using MySQL.

Vulnerability:
--------------------
Html_Injection :
The software does not properly filter HTML tags in the title of events before being passed to user in 'calendar.php'&'reminder.php AS include'. that may allow a remote user to inject HTML/javascript codes to events of calendar. The hostile code may be rendered in the web browser of the victim user who will Request Reminder for those Events (persistent).
For example an attacker creates new event (Single-All Day Event , Ranged Event OR Recurring Event)with this content:

TITLE:--------->Test<script>alert(document.cookie)</script>
BODY:---------->No matter
OTHER OPTIONS:->No matter

The hostile code will be rendered in the web browser of the victim user who will Request Reminder for this Event via http://example.com/vbulletin/calenda...addreminder&e=[eventid]
The hostile code will originate from the site running the Vbulletin software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies),or take actions on the site acting as the target user.

Demonstration XSS URL:
--------------------
http://example.com/vbulletin/calenda...addreminder&e=[eventid]

Solution:
--------------------
There is no vendor supplied patch for this issue at this time.

Credit :
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]

Moon-Tzu the sister of Sun-Tzu:"Wish you a good year and joyful one. HAPPY NEW YEAR"

=================

WTF how can i get rid of this ?
Its no rimender.php in incl dir.
Disabled calendar. But i think it must be BugFix

nexialys 01-02-2006 05:59 PM

this is what we call a code leak, someone found a crack in the code, and this site is intented to help hackers to pirate your site by advertising failure on the code...

i suppose that vb.COM guys are aware of this one, as it's not new... if it is really a problem, they will release a patch/upgrade real soon...

StGaensler 01-02-2006 06:00 PM

I haven't found any bug related to this topic so I created a new bug report: http://www.vbulletin.com/forum/bugs3...iew&bugid=2037

quick&dirty:
Open calendar.php and add at line 2271:
PHP Code:

$eventinfo['title'] = htmlspecialchars_uni($eventinfo['title']); 


Scott MacVicar 01-02-2006 06:23 PM

1 Attachment(s)
Use this plugin to fix it, we received no notification from the author and are looking into this at the moment.

Version 3.0 changed this to a version checker so it will only affect 3.5.2 and below.

Paul M 01-02-2006 06:39 PM

Thank you Scott. I don't think we use this functionality much (if at all), but I've added the plugin anyway. :)

Scott MacVicar 01-02-2006 06:49 PM

Quote:

Originally Posted by Paul M
Thank you Scott. I don't think we use this functionality much (if at all), but I've added the plugin anyway. :)

Just updated the plugin to take into account an issue on online.php, uninstall the current one and re-install this.

I think this can be sorted with permissions too.

Scott MacVicar 01-02-2006 07:15 PM

One more bump, changed to a product and added some install code so it will only run for 3.5.2 and below.


All times are GMT. The time now is 02:25 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01572 seconds
  • Memory Usage 1,731KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_php_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (7)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete