vb.org Archive - View Single Post - vB 3.8.7 PL 3 XSS Leak in Email Link to Friend?

Smitty · #1 03-18-2013, 10:23 PM

I'm not sure if this is really the right forum for this. Please move if it's not "best fit".

This in on a fully patched 3.8.7 Patch Level 3 install. It IS an old forum which is highly modified - Too many mods to list here.

Someone has figured out how to use a phrase in one of my sites and cause spam emails to be sent. It uses the "Email Link to Friend" phrase and some of its variables. I *assume* it is a cross site XSS issue but I am not sure. I know this is happening because of Bounce messages I am getting.

1. I never did have the email to friend feature enabled for any user group and my tests show the people do get the error message if they try.

2. I "emptied" the sendtofriend template so now all a person gets is a message ""Send Link To Friend" DISABLED due to potential spam issues."

3. It is (now was) obviously using some of the "$vbphrase[sendtofriend]" phrase variables, so I emptied that out and put in my own message (without any variables) with an apology. Prior to doing that it gave a link to a web site using the "$vbphrase[sendtofriend]" phrase somehow, and used a couple "real" variables in that phrase.

Now that I have completely eliminated the variables in the phrase and put in my own text (an apology and brief explanation of what I *think* is happening) the spam content they were sending doesn't show - Only the text I put in shows in the emails which are sent.

4. No emails are going to forum members. They are somehow using a mailing list.

5. Somehow they are getting the email address set in the vB adminCP > Options > Site Name / URL / Contact Details as the "Sent By" - If I change that the spam email "From" address changes with it.

6. They are able to put in their own "Subject" in the spam emails being sent.

7. I have vBulletin set up to use php to send outgoing emails.

Has anyone heard of anything like this? And/or any ideas on how it is being done, not to mention how to stop it?

What is surprising is that now that I can control the spam email contents, it seems to me they would stop, which they haven't.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01215 seconds Memory Usage 1,764KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD_SHOWPOST (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_box (1)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit_info (1)postbit (1)postbit_onlinestatus (1)postbit_wrapper (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit reputationlevel showthread	Included Files: ./showpost.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showpost_start bbcode_fetch_tags bbcode_create postbit_factory showpost_post postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start showpost_complete
Messages: