Security question

[nerbert]

I just had a member demonstrate a security problem with vB4.2.0, and I'm sure it applies to other versions as well.

I had made the mistake of building an iframe bb code and thought I had it so you couldn't iframe a local page but he demonstrated that you could use URL shortening to get around it and use that to iframe a thread that had an iframe in it and create multiple layers of iframes. That problem is another issue but what really got my attention is he iframed profile.php and used GET values to try to set the user's ignore list to ignore one of the moderators. Well, you have to confirm when you add a user to your ignore list so nothing happened. I checked profile.php and found this, starting on line 449:

PHP Code:

// ############################################################################
// ######################### EDIT BUDDY/IGNORE LISTS ##########################
// ############################################################################
if ($_REQUEST['do'] == 'addlist')
{
    $vbulletin->input->clean_array_gpc('r', array(
        'userid'   => TYPE_UINT,
        'userlist' => TYPE_NOHTML,
    )); 


Since vBulletin's clean_array_gpc('r', -------) method is the equivalent of $_REQUEST it's possible to post a link with GET parameters that will take you to the ignore frame of profile.php and (almost) set your ignore list.

There are other suspicious parts of profile.php at lines 564, 1537, 4707, 222, and elsewhere. Is there any reason to use REQUEST instead of POST for these actions?

[ForumsMods]

There are links in some places to add user to ignore/friend list like profile page, username dropdown, blog, etc.

[nerbert]

That explains why they do it with REQUEST values but none of those links should work that way. Here's a "form link" as I call it :

HTML Code:

<form action="some_file.php" method="post" id="someid"><input type="hidden" name="do" value="someaction">
<input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}" />
<a href="javascript:fetch_object('someid').submit()">{vb:rawphrase some _action}</a></form>

It looks like a normal link but it's not something you can post in a thread.

[ForumsMods]

vB is using real links:
profile.php?do=addlist&userlist=friend&u=x

[nerbert]

For anyone interested this is my "form link" for ignoring a user in the user profile:

Code:

<form action="profile.php" method="post">
<input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}">
<input type="hidden" name="do" value="addlist">
<input type="hidden" name="userlist" value="ignore">
<input type="hidden" name="u" value="{vb:raw prepared.userid}">
<a href="javascript://ignore user" onclick="this.parentNode.submit();">
<img src="{vb:stylevar imgdir_siteicons}/ignore.png" alt="{vb:rawphrase add_to_ignore_list}" class="inlineimg" /> {vb:rawphrase add_to_ignore_list}
</a>
</form>

I have it all strung out in one line. Similar form links could be made for other features.

[tbworld]

Interesting Post, thanks for posting. Now you have gone and done it... I am going to have to ponder. I will reply back when I am done pondering