Improtant Security Fix for 2.0.0 - 2.2.8

[Brad]

This is a quote from this post @ vbulletin.com forums.

Quote:

.:: vBulletin XSS Security Bug

vBulletin is a powerful and widely used bulletin board system, based on
PHP language and MySQL database. One of its features is the usage of
templates to modify the boards look. I discovered lately a Cross-Site
Scripting vulnerability that would attackers to inject maleficent codes
and execute it on the clients browser.

+ Vulnerable Versions:

- Jelsoft vBulletin 2.2.8.
- Jelsoft vBulletin 2.2.7.
- Jelsoft vBulletin 2.2.6.
- Jelsoft vBulletin 2.2.5.
- Jelsoft vBulletin 2.2.4.
- Jelsoft vBulletin 2.2.3.
- Jelsoft vBulletin 2.2.2.
- Jelsoft vBulletin 2.2.1.
- Jelsoft vBulletin 2.2.0.
- Jelsoft vBulletin 2.0.2.
- Jelsoft vBulletin 2.0.1.
- Jelsoft vBulletin 2.0.0.
- Jelsoft vBulletin 2.0.0 Candidate 3.
- Jelsoft vBulletin 2.0.0 Candidate 2.
- Jelsoft vBulletin 2.0.0 Candidate 1.
- Jelsoft vBulletin 2.0.0 Beta 5.
- Jelsoft vBulletin 2.0.0 Beta 4.
- Jelsoft vBulletin 2.0.0 Beta 4.1.
- Jelsoft vBulletin 2.0.0 Beta 3.
- Jelsoft vBulletin 2.0.0 Beta 2.
- Jelsoft vBulletin 2.0.0 Beta 1.
- Jelsoft vBulletin 2.0.0 Alpha.

+ Details:

In global.php there is a variable [$scriptpath], the value of it is the
referred URL that the client came from. Move on to admin/functions.php,
in show_nopermission function the $scriptpath is called as a global
variable. The content of the variable gets printed in the
error_nopermission_loggedin template without filtering it. So if we pass
some tags and script codes in the URL and refresh the page it will be
printed in the no permission template. The same thing with $url variable
which print its contents in many templates.

+ Exploit:

Note: Tested on Microsoft Internet Explorer 6.0 and vBulletin.com:

- Go to usercp.php?s=[Session ID]"><Script>alert
(document.cookie);</Script> [You can use it wherever
error_nopermission_loggedin get printed].
- A pop-up window will appear and you'll receive an error message.
- Then log in.
- Go back to the previous pages where you left the login form.
- Then the pop-up window will appear again containing the User ID and
Password Hash.

The same thing with $url templates.

+ Solution:

- Forum administrator can add some codes that will check the referred
URL and filter its inputs or upgrade to vBulletin 3.0.

+ Links:

- Http://www.vBulletin.com

2.2.9 will be released soon to fix this bug, in the mean time you sould patch your board by uploading a fix found here (note: ive only tested this with 2.2.8 myself).

The fix john posted seems to have problems, use ppn's working fix found here

[DestyNova]

Never mind.. I finally got it work and it show hashes but when I update global.php with John's fix and still show the hashes hmm..

[Brad]

Try ppn's fix found here that is the one im currently running. (note: upload to root/ not root/admin/)

[DestyNova]

Yup PPN's global.php work, not John's. Thanks!

thanks for info , loo

[Tony G]

Gonna patch up later. Thanks AL.

[lifesourcerec]

Quote:

Originally Posted by DestyNova

Yup PPN's global.php work, not John's. Thanks!

In v2.26, this line can not be found.

Quote:

look for
PHP:
--------------------------------------------------------------------------------
$url=$HTTP_SERVER_VARS['HTTP_REFERER'];

[filburt1]

Hello and welcome to last year. Also we don't allow discussion of file editing here.

[Tony G]

Hehe.

Please take your discussion to vB.org. But, it's as easy as upgrading to 2.30 now. It has all the fixes.

[lifesourcerec]

hehe.. ok. Not like I check this place too often. Sorry about that.