Thread: vBulletin Forums and User Accounts being exploited
View Single Post
  #1  
Old 05-03-2007, 06:27 PM
GoTTi GoTTi is offline
 
Join Date: Jun 2002
Posts: 1,346
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default vBulletin Forums and User Accounts being exploited
vbulletin staff please send out a security bulletin regarding this issue.

What is happening:
A user is posting a thread or reply with a image that on mouseover, records the users cookie onto a .php file page, which is printing out the data to a .txt file. The data being recorded is the cookie information of the user mousing over the image. When the user does the mouseover on the image, the image will disappear, when that happens, the cookie information is recorded to the external site.

This makes it easy for someone to login as another user, including admins. all the exploiter has to do is edit their cookie file, save it, and visit the site and they are logged in as the user. Admins need to be careful....

This has happened to only 2 forums i know of right now, including mine.

After reading the code in the thread that the user posted, its being done using HTML. now, we are always told to disable HTML on our forums, but LOTS of people use it because its a handy tool for users on our forums to play with.

so i guess the only fix, besides disabling the HTML on your forums, is to censor out these keywords that are needed for the recording of the cookie data:

Quote:
onMouseover="document.sam.src=
+document.cookie;">
i believe censoring out these keywords will work and help protect our forums


Note: im not sure if "document.sam.src=" is needed to be censored. i think just censoring onMouseover is good enough...
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01275 seconds
  • Memory Usage 1,764KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete