Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions

Reply
 
Thread Tools Display Modes
  #1  
Old 12-09-2004, 08:04 PM
Michael Morris's Avatar
Michael Morris Michael Morris is offline
 
Join Date: Nov 2003
Location: Knoxville TN
Posts: 774
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Critical vulnerability in Vbullletin 3.x - Self-Submitting HTML Form Attacks

I submitted this to vb3 but since I have a fix I thought I'd share it.

Vbulletin forums can be attacked from self submitting forms. Basically you write a small html file with a self submitting form to make a post, change signature, maybe change a password. You then submit a link on the post inviting curious board members to follow it. When they do, it does it's evil magic, using their cookie or session variable for authorization.

To block this nasty attack, use the PHPINCLUDE_START template to verify that all attempts to execute a $_POST action originate from your boards.

PHP Code:
if (!empty($_POST['do']) AND !strstr($_SERVER['HTTP_REFERER'], "YOURBOARDSURL")) 

print_no_permission();

Replace YOURBOARDSURL with, well, your boards url.
Reply With Quote
  #2  
Old 12-10-2004, 12:03 PM
Floris Floris is offline
 
Join Date: Jan 2002
Posts: 1,898
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What is the unique support ticket system id - you should get it when you submit it to vbulletin.
Reply With Quote
  #3  
Old 12-10-2004, 12:06 PM
SaN-DeeP's Avatar
SaN-DeeP SaN-DeeP is offline
 
Join Date: Jun 2002
Location: Mumbai, India
Posts: 1,195
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Do we really need to add/apply the fix to our site/forums ?

Regards,
Reply With Quote
  #4  
Old 12-10-2004, 12:06 PM
Kier Kier is offline
 
Join Date: Oct 2001
Posts: 131
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Michael Morris
I submitted this to vb3 but since I have a fix I thought I'd share it.

Vbulletin forums can be attacked from self submitting forms. Basically you write a small html file with a self submitting form to make a post, change signature, maybe change a password. You then submit a link on the post inviting curious board members to follow it. When they do, it does it's evil magic, using their cookie or session variable for authorization.

To block this nasty attack, use the PHPINCLUDE_START template to verify that all attempts to execute a $_POST action originate from your boards.

PHP Code:
if (!empty($_POST['do']) AND !strstr($_SERVER['HTTP_REFERER'], "YOURBOARDSURL")) 

    
print_no_permission();

Replace YOURBOARDSURL with, well, your boards url.
The code you have there is potentially problematic - try replacing it with this:

PHP Code:
if (!empty($_POST['do']) AND strpos(strtolower($_SERVER['HTTP_REFERER']), strtolower($_SERVER['HTTP_HOST'])) === false)
{
print_no_permission();

It should also be noted that if your webserver is one of the rare ones that does not set an HTTP referrer, this code will break vBulletin and prevent just about any kind of interaction with it.
Reply With Quote
  #5  
Old 12-10-2004, 12:35 PM
miz miz is offline
 
Join Date: Mar 2003
Posts: 416
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

so should we do it ?
is it apply for 3.0.3 ?
Reply With Quote
  #6  
Old 12-10-2004, 01:25 PM
Kier Kier is offline
 
Join Date: Oct 2001
Posts: 131
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by miz
so should we do it ?
is it apply for 3.0.3 ?
I do not consider it to be a critical problem, as just about every web application out there can be exploited in this manner.

We are looking into ways to combat it for the forthcoming vBulletin release, but for now if you want a temporary fix and you are certain that your server sets the HTTP referer field, then you can use the code posted above.
Reply With Quote
  #7  
Old 12-10-2004, 02:39 PM
SaN-DeeP's Avatar
SaN-DeeP SaN-DeeP is offline
 
Join Date: Jun 2002
Location: Mumbai, India
Posts: 1,195
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Kier
I do not consider it to be a critical problem, as just about every web application out there can be exploited in this manner.

We are looking into ways to combat it for the forthcoming vBulletin release, but for now if you want a temporary fix and you are certain that your server sets the HTTP referer field, then you can use the code posted above.
call me a noob but how to test if server sets the HTTP referer field ?
Reply With Quote
  #8  
Old 12-10-2004, 02:49 PM
Kier Kier is offline
 
Join Date: Oct 2001
Posts: 131
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by SaN-DeeP
call me a noob but how to test if server sets the HTTP referer field ?
Copy this code to a file called reftest.php and upload it to your server, then browse to the file and click the button on the page.

PHP Code:
<?php

if (!empty($_POST['do']))
{
    if (
$_SERVER['HTTP_REFERER'] != '')
    {
        echo 
"<p>Your HTTP referrer is <em>$_SERVER[HTTP_REFERER]</em>.</p>";
    }
    else
    {
        echo 
"<p>Your server does not appear to set an HTTP referrer. Oh dear.</p>";
    }
}

?>
<form action="reftest.php" method="post">
<input type="hidden" name="do" value="moo" />
<input type="submit" value="Click me" />
</form>
Reply With Quote
  #9  
Old 12-10-2004, 03:40 PM
Jaxx Jaxx is offline
 
Join Date: Mar 2003
Location: Seattle, Wa
Posts: 102
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

props to the vB time for a fast response on this.
Reply With Quote
  #10  
Old 12-10-2004, 03:53 PM
WotC_Mel WotC_Mel is offline
 
Join Date: Apr 2003
Posts: 20
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

FWIW, we got hit by this exploit this week. In a matter of an hour there were 113 posts linked to the bad webpage as everytime someone looked at the linked site, it changed your sig to link to the page and created a new post under the viewers account that asked people to evaluate the "art" at said page.

So, yeah, I think it is important to view it as critical.

-Melanie
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:14 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04741 seconds
  • Memory Usage 2,261KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_php
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete