Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
Reload this Page Critical vulnerability in Vbullletin 3.x - Self-Submitting HTML Form Attacks
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
Page 2 of 2 1 2
 
Thread Tools Display Modes
  #11  
Old 12-10-2004, 04:27 PM
WotC_Tech WotC_Tech is offline
 
Join Date: Jan 2004
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Kier
I do not consider it to be a critical problem, as just about every web application out there can be exploited in this manner.
I won't argue that many web applications have this vulnerability, but I would like to point out the severity to other vB administrators. If an admin of your forum is tricked into visiting a web site containing one of these self-submitting forms, an attacker can gain administrative privileges on your forum, and perform other administrative tasks in the context of the admin who visited the malicious web site.

While this exploit requires some interaction from a site admin, it is not very difficult to trick someone into visiting a site.
Reply With Quote
  #12  
Old 12-10-2004, 10:34 PM
WotC_Tech WotC_Tech is offline
 
Join Date: Jan 2004
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Kier
The code you have there is potentially problematic - try replacing it with this:

PHP Code:
if (!empty($_POST['do']) AND strpos(strtolower($_SERVER['HTTP_REFERER']), strtolower($_SERVER['HTTP_HOST'])) === false)
{
print_no_permission();

To prevent bypassing this mechanism it might be better to check only the "host" portion of the referer:
PHP Code:
$parsed_referer=parse_url($_SERVER['HTTP_REFERER']);
if ((!empty($_POST['do'])) AND
  (strtolower($parsed_referer['host']) != strtolower($_SERVER['HTTP_HOST'])))
print_no_permission(); } 
Otherwise an attacker could simply append the hostname of the forum server to the end of the URL.

-Mike
Reply With Quote
  #13  
Old 12-14-2004, 09:43 AM
SaN-DeeP's Avatar
SaN-DeeP SaN-DeeP is offline
 
Join Date: Jun 2002
Location: Mumbai, India
Posts: 1,195
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Kier
Copy this code to a file called reftest.php and upload it to your server, then browse to the file and click the button on the page.
Done.. clicked the button and i got the proper message
Your HTTP referrer is http://www.tech-arena.com/reftest.php.

My Server aint vulnerable
Thank for help

Regards,
Reply With Quote
  #14  
Old 12-14-2004, 05:51 PM
WetWired's Avatar
WetWired WetWired is offline
 
Join Date: Jun 2002
Location: Texas
Posts: 669
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Be aware that some internet privacy programs strip outgoing HTTP_REFFERER information, which will result in a very frustrating situation for some people if you use this fix; many will not even know that the privacy program is doing this.
Reply With Quote
Reply
Page 2 of 2 1 2

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 08:56 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04594 seconds
  • Memory Usage 2,196KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_php
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (4)post_thanks_box
  • (4)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (4)post_thanks_postbit_info
  • (4)postbit
  • (4)postbit_onlinestatus
  • (4)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete