vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Critical vulnerability in Vbullletin 3.x - Self-Submitting HTML Form Attacks (https://vborg.vbsupport.ru/showthread.php?t=72682)

Michael Morris 12-09-2004 08:04 PM
Critical vulnerability in Vbullletin 3.x - Self-Submitting HTML Form Attacks
 
I submitted this to vb3 but since I have a fix I thought I'd share it.

Vbulletin forums can be attacked from self submitting forms. Basically you write a small html file with a self submitting form to make a post, change signature, maybe change a password. You then submit a link on the post inviting curious board members to follow it. When they do, it does it's evil magic, using their cookie or session variable for authorization.

To block this nasty attack, use the PHPINCLUDE_START template to verify that all attempts to execute a $_POST action originate from your boards.

PHP Code:
if (!empty($_POST['do']) AND !strstr($_SERVER['HTTP_REFERER'], "YOURBOARDSURL")) 

print_no_permission();

Replace YOURBOARDSURL with, well, your boards url.

Floris 12-10-2004 12:03 PM
What is the unique support ticket system id - you should get it when you submit it to vbulletin.

SaN-DeeP 12-10-2004 12:06 PM
Do we really need to add/apply the fix to our site/forums ?

Regards,

Kier 12-10-2004 12:06 PM
Quote:
Originally Posted by Michael Morris
I submitted this to vb3 but since I have a fix I thought I'd share it.

Vbulletin forums can be attacked from self submitting forms. Basically you write a small html file with a self submitting form to make a post, change signature, maybe change a password. You then submit a link on the post inviting curious board members to follow it. When they do, it does it's evil magic, using their cookie or session variable for authorization.

To block this nasty attack, use the PHPINCLUDE_START template to verify that all attempts to execute a $_POST action originate from your boards.

PHP Code:
if (!empty($_POST['do']) AND !strstr($_SERVER['HTTP_REFERER'], "YOURBOARDSURL")) 

    print_no_permission();

Replace YOURBOARDSURL with, well, your boards url.
The code you have there is potentially problematic - try replacing it with this:

PHP Code:
if (!empty($_POST['do']) AND strpos(strtolower($_SERVER['HTTP_REFERER']), strtolower($_SERVER['HTTP_HOST'])) === false)
{
print_no_permission();

It should also be noted that if your webserver is one of the rare ones that does not set an HTTP referrer, this code will break vBulletin and prevent just about any kind of interaction with it.

miz 12-10-2004 12:35 PM
so should we do it ?
is it apply for 3.0.3 ?

Kier 12-10-2004 01:25 PM
Quote:
Originally Posted by miz
so should we do it ?
is it apply for 3.0.3 ?
I do not consider it to be a critical problem, as just about every web application out there can be exploited in this manner.

We are looking into ways to combat it for the forthcoming vBulletin release, but for now if you want a temporary fix and you are certain that your server sets the HTTP referer field, then you can use the code posted above.

SaN-DeeP 12-10-2004 02:39 PM
Quote:
Originally Posted by Kier
I do not consider it to be a critical problem, as just about every web application out there can be exploited in this manner.

We are looking into ways to combat it for the forthcoming vBulletin release, but for now if you want a temporary fix and you are certain that your server sets the HTTP referer field, then you can use the code posted above.
call me a noob but how to test if server sets the HTTP referer field ?

Kier 12-10-2004 02:49 PM
Quote:
Originally Posted by SaN-DeeP
call me a noob but how to test if server sets the HTTP referer field ?
Copy this code to a file called reftest.php and upload it to your server, then browse to the file and click the button on the page.

PHP Code:
<?php

if (!empty($_POST['do']))
{
    if ($_SERVER['HTTP_REFERER'] != '')
    {
        echo "<p>Your HTTP referrer is <em>$_SERVER[HTTP_REFERER]</em>.</p>";
    }
    else
    {
        echo "<p>Your server does not appear to set an HTTP referrer. Oh dear.</p>";
    }
}

?>
<form action="reftest.php" method="post">
<input type="hidden" name="do" value="moo" />
<input type="submit" value="Click me" />
</form>

Jaxx 12-10-2004 03:40 PM
props to the vB time for a fast response on this. :)

WotC_Mel 12-10-2004 03:53 PM
FWIW, we got hit by this exploit this week. In a matter of an hour there were 113 posts linked to the bad webpage as everytime someone looked at the linked site, it changed your sig to link to the page and created a new post under the viewers account that asked people to evaluate the "art" at said page.

So, yeah, I think it is important to view it as critical.

-Melanie


All times are GMT. The time now is 10:54 PM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02301 seconds
  • Memory Usage 1,746KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_php_printable
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete