The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
||||
|
||||
Critical vulnerability in Vbullletin 3.x - Self-Submitting HTML Form Attacks
I submitted this to vb3 but since I have a fix I thought I'd share it.
Vbulletin forums can be attacked from self submitting forms. Basically you write a small html file with a self submitting form to make a post, change signature, maybe change a password. You then submit a link on the post inviting curious board members to follow it. When they do, it does it's evil magic, using their cookie or session variable for authorization. To block this nasty attack, use the PHPINCLUDE_START template to verify that all attempts to execute a $_POST action originate from your boards. PHP Code:
|
#2
|
|||
|
|||
What is the unique support ticket system id - you should get it when you submit it to vbulletin.
|
#3
|
||||
|
||||
Do we really need to add/apply the fix to our site/forums ?
Regards, |
#4
|
|||
|
|||
Quote:
PHP Code:
|
#5
|
|||
|
|||
so should we do it ?
is it apply for 3.0.3 ? |
#6
|
|||
|
|||
Quote:
We are looking into ways to combat it for the forthcoming vBulletin release, but for now if you want a temporary fix and you are certain that your server sets the HTTP referer field, then you can use the code posted above. |
#7
|
||||
|
||||
Quote:
|
#8
|
|||
|
|||
Quote:
PHP Code:
|
#9
|
|||
|
|||
props to the vB time for a fast response on this.
|
#10
|
|||
|
|||
FWIW, we got hit by this exploit this week. In a matter of an hour there were 113 posts linked to the bad webpage as everytime someone looked at the linked site, it changed your sig to link to the page and created a new post under the viewers account that asked people to evaluate the "art" at said page.
So, yeah, I think it is important to view it as critical. -Melanie |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|