Html Injection

[fatalsex]

Html_Injection in vBulletin 3.5.2

-------

KAPDA New advisory

Vendor: http://www.vbulletin.com
Vulnerable Version: 3.5.2 (prior versions also may be affected)
Bug: Html_Injection (Second order Cross_Site_Scripting)
Exploitation: Remote with browser

Description:
--------------------
vBulletin is a powerful, scalable and fully customizable forums package. It has been written using the Web's quickest-growing scripting language; PHP, and is complemented with a highly efficient and ultra fast back-end database engine built using MySQL.

Vulnerability:
--------------------
Html_Injection :
The software does not properly filter HTML tags in the title of events before being passed to user in 'calendar.php'&'reminder.php AS include'. that may allow a remote user to inject HTML/javascript codes to events of calendar. The hostile code may be rendered in the web browser of the victim user who will Request Reminder for those Events (persistent).
For example an attacker creates new event (Single-All Day Event , Ranged Event OR Recurring Event)with this content:

TITLE:--------->Test<script>alert(document.cookie)</script>
BODY:---------->No matter
OTHER OPTIONS:->No matter

The hostile code will be rendered in the web browser of the victim user who will Request Reminder for this Event via http://example.com/vbulletin/calenda...addreminder&e=[eventid]
The hostile code will originate from the site running the Vbulletin software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies),or take actions on the site acting as the target user.

Demonstration XSS URL:
--------------------
http://example.com/vbulletin/calenda...addreminder&e=[eventid]

Solution:
--------------------
There is no vendor supplied patch for this issue at this time.

Credit :
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]

Moon-Tzu the sister of Sun-Tzu:"Wish you a good year and joyful one. HAPPY NEW YEAR"

=================

WTF how can i get rid of this ?
Its no rimender.php in incl dir.
Disabled calendar. But i think it must be BugFix

this is what we call a code leak, someone found a crack in the code, and this site is intented to help hackers to pirate your site by advertising failure on the code...

i suppose that vb.COM guys are aware of this one, as it's not new... if it is really a problem, they will release a patch/upgrade real soon...

[StGaensler]

I haven't found any bug related to this topic so I created a new bug report: http://www.vbulletin.com/forum/bugs3...iew&bugid=2037

quick&dirty:
Open calendar.php and add at line 2271:

PHP Code:

$eventinfo['title'] = htmlspecialchars_uni($eventinfo['title']); 


[Scott MacVicar]

Use this plugin to fix it, we received no notification from the author and are looking into this at the moment.

Version 3.0 changed this to a version checker so it will only affect 3.5.2 and below.

[Paul M]

Thank you Scott. I don't think we use this functionality much (if at all), but I've added the plugin anyway.

[Scott MacVicar]

Quote:

Originally Posted by Paul M

Thank you Scott. I don't think we use this functionality much (if at all), but I've added the plugin anyway.

Just updated the plugin to take into account an issue on online.php, uninstall the current one and re-install this.

I think this can be sorted with permissions too.

[Scott MacVicar]

One more bump, changed to a product and added some install code so it will only run for 3.5.2 and below.