vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Community Lounge (https://vborg.vbsupport.ru/forumdisplay.php?f=13)
-   -   Improtant Security Fix for 2.0.0 - 2.2.8 (https://vborg.vbsupport.ru/showthread.php?t=85057)

Brad 10-22-2002 06:27 PM
Improtant Security Fix for 2.0.0 - 2.2.8
 
This is a quote from this post @ vbulletin.com forums.

Quote:
.:: vBulletin XSS Security Bug

vBulletin is a powerful and widely used bulletin board system, based on
PHP language and MySQL database. One of its features is the usage of
templates to modify the boards look. I discovered lately a Cross-Site
Scripting vulnerability that would attackers to inject maleficent codes
and execute it on the clients browser.

+ Vulnerable Versions:

- Jelsoft vBulletin 2.2.8.
- Jelsoft vBulletin 2.2.7.
- Jelsoft vBulletin 2.2.6.
- Jelsoft vBulletin 2.2.5.
- Jelsoft vBulletin 2.2.4.
- Jelsoft vBulletin 2.2.3.
- Jelsoft vBulletin 2.2.2.
- Jelsoft vBulletin 2.2.1.
- Jelsoft vBulletin 2.2.0.
- Jelsoft vBulletin 2.0.2.
- Jelsoft vBulletin 2.0.1.
- Jelsoft vBulletin 2.0.0.
- Jelsoft vBulletin 2.0.0 Candidate 3.
- Jelsoft vBulletin 2.0.0 Candidate 2.
- Jelsoft vBulletin 2.0.0 Candidate 1.
- Jelsoft vBulletin 2.0.0 Beta 5.
- Jelsoft vBulletin 2.0.0 Beta 4.
- Jelsoft vBulletin 2.0.0 Beta 4.1.
- Jelsoft vBulletin 2.0.0 Beta 3.
- Jelsoft vBulletin 2.0.0 Beta 2.
- Jelsoft vBulletin 2.0.0 Beta 1.
- Jelsoft vBulletin 2.0.0 Alpha.

+ Details:

In global.php there is a variable [$scriptpath], the value of it is the
referred URL that the client came from. Move on to admin/functions.php,
in show_nopermission function the $scriptpath is called as a global
variable. The content of the variable gets printed in the
error_nopermission_loggedin template without filtering it. So if we pass
some tags and script codes in the URL and refresh the page it will be
printed in the no permission template. The same thing with $url variable
which print its contents in many templates.

+ Exploit:

Note: Tested on Microsoft Internet Explorer 6.0 and vBulletin.com:

- Go to usercp.php?s=[Session ID]"><Script>alert
(document.cookie);</Script> [You can use it wherever
error_nopermission_loggedin get printed].
- A pop-up window will appear and you'll receive an error message.
- Then log in.
- Go back to the previous pages where you left the login form.
- Then the pop-up window will appear again containing the User ID and
Password Hash.

The same thing with $url templates.

+ Solution:

- Forum administrator can add some codes that will check the referred
URL and filter its inputs or upgrade to vBulletin 3.0.

+ Links:

- Http://www.vBulletin.com
2.2.9 will be released soon to fix this bug, in the mean time you sould patch your board by uploading a fix found here (note: ive only tested this with 2.2.8 myself).

The fix john posted seems to have problems, use ppn's working fix found here

DestyNova 10-22-2002 07:41 PM
Never mind.. I finally got it work and it show hashes but when I update global.php with John's fix and still show the hashes hmm..

Brad 10-22-2002 08:08 PM
Try ppn's fix found here that is the one im currently running. (note: upload to root/ not root/admin/)

DestyNova 10-22-2002 09:43 PM
Yup PPN's global.php work, not John's. Thanks!

LoRDsTaR 10-23-2002 04:16 AM
thanks for info , loo

Tony G 10-23-2002 05:02 AM
Gonna patch up later. Thanks AL. :)

lifesourcerec 05-12-2003 06:44 AM
Quote:
Originally Posted by DestyNova
Yup PPN's global.php work, not John's. Thanks!
In v2.26, this line can not be found.

Quote:
look for
PHP:
--------------------------------------------------------------------------------
$url=$HTTP_SERVER_VARS['HTTP_REFERER'];

filburt1 05-12-2003 11:20 AM
Hello and welcome to last year. Also we don't allow discussion of file editing here.

Tony G 05-12-2003 12:02 PM
Hehe.

Please take your discussion to vB.org. But, it's as easy as upgrading to 2.30 now. It has all the fixes. ;)

lifesourcerec 05-12-2003 05:25 PM
hehe.. ok. Not like I check this place too often. Sorry about that.


All times are GMT. The time now is 07:07 AM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01022 seconds
  • Memory Usage 1,738KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete