Thread: Security question
View Single Post
  #1  
Old 03-07-2013, 07:00 PM
nerbert nerbert is offline
 
Join Date: May 2008
Posts: 784
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Security question
I just had a member demonstrate a security problem with vB4.2.0, and I'm sure it applies to other versions as well.

I had made the mistake of building an iframe bb code and thought I had it so you couldn't iframe a local page but he demonstrated that you could use URL shortening to get around it and use that to iframe a thread that had an iframe in it and create multiple layers of iframes. That problem is another issue but what really got my attention is he iframed profile.php and used GET values to try to set the user's ignore list to ignore one of the moderators. Well, you have to confirm when you add a user to your ignore list so nothing happened. I checked profile.php and found this, starting on line 449:

PHP Code:
// ############################################################################
// ######################### EDIT BUDDY/IGNORE LISTS ##########################
// ############################################################################
if ($_REQUEST['do'] == 'addlist')
{
    $vbulletin->input->clean_array_gpc('r', array(
        'userid'   => TYPE_UINT,
        'userlist' => TYPE_NOHTML,
    )); 
Since vBulletin's clean_array_gpc('r', -------) method is the equivalent of $_REQUEST it's possible to post a link with GET parameters that will take you to the ignore frame of profile.php and (almost) set your ignore list.

There are other suspicious parts of profile.php at lines 564, 1537, 4707, 222, and elsewhere. Is there any reason to use REQUEST instead of POST for these actions?
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01035 seconds
  • Memory Usage 1,768KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_php
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete