Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
Reload this Page vB 3.8.7 PL 3 XSS Leak in Email Link to Friend?
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 03-18-2013, 10:23 PM
Smitty's Avatar
Smitty Smitty is offline
 
Join Date: Sep 2002
Location: Southern Ohio
Posts: 385
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default vB 3.8.7 PL 3 XSS Leak in Email Link to Friend?
I'm not sure if this is really the right forum for this. Please move if it's not "best fit".

This in on a fully patched 3.8.7 Patch Level 3 install. It IS an old forum which is highly modified - Too many mods to list here.

Someone has figured out how to use a phrase in one of my sites and cause spam emails to be sent. It uses the "Email Link to Friend" phrase and some of its variables. I *assume* it is a cross site XSS issue but I am not sure. I know this is happening because of Bounce messages I am getting.

1. I never did have the email to friend feature enabled for any user group and my tests show the people do get the error message if they try.

2. I "emptied" the sendtofriend template so now all a person gets is a message ""Send Link To Friend" DISABLED due to potential spam issues."

3. It is (now was) obviously using some of the "$vbphrase[sendtofriend]" phrase variables, so I emptied that out and put in my own message (without any variables) with an apology. Prior to doing that it gave a link to a web site using the "$vbphrase[sendtofriend]" phrase somehow, and used a couple "real" variables in that phrase.

Now that I have completely eliminated the variables in the phrase and put in my own text (an apology and brief explanation of what I *think* is happening) the spam content they were sending doesn't show - Only the text I put in shows in the emails which are sent.

4. No emails are going to forum members. They are somehow using a mailing list.

5. Somehow they are getting the email address set in the vB adminCP > Options > Site Name / URL / Contact Details as the "Sent By" - If I change that the spam email "From" address changes with it.

6. They are able to put in their own "Subject" in the spam emails being sent.

7. I have vBulletin set up to use php to send outgoing emails.

Has anyone heard of anything like this? And/or any ideas on how it is being done, not to mention how to stop it?

What is surprising is that now that I can control the spam email contents, it seems to me they would stop, which they haven't.
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 11:29 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04909 seconds
  • Memory Usage 2,199KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)showthread_list
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_threadedmode.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids_threaded
  • showthread_threaded_construct_link
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete