what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

vBulletin 5.x / 4.x Persistent Cross Site Scripting

vBulletin 5.x / 4.x Persistent Cross Site Scripting
Posted Oct 12, 2014
Authored by oststrom

vBulletin versions 5.x and 4.x suffer from a persistent cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2014-2021
SHA-256 | 5d7e0332012b5ff0ccca849a35d2ba9c2d680f444985d0f62bc7fcbac0ad9c1d

vBulletin 5.x / 4.x Persistent Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



CVE-2014-2021 - vBulletin 5.x/4.x - persistent XSS in AdminCP/ApiLog via
xmlrpc API (post-auth)

============================================================================
====================



Overview

- --------



date : 10/12/2014

cvss : 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) base

cwe : 79



vendor : vBulletin Solutions

product : vBulletin 4

versions affected : latest 4.x and 5.x (to date); verified <= 4.2.2 ;
<= 5.0.x

* vBulletin 5.0.5 (verified)

* vBulletin 4.2.2 (verified)

* vBulletin 4.2.1 (verified)

* vBulletin 4.2.0 PL2 (verified)



exploitability :

* remotely exploitable

* requires authentication (apikey)

* requires non-default features to be enabled (API interface,
API-Logging)

* requires user interaction to trigger exploit (admincp - admin
views logs)



patch availability (to date) : None





Abstract

- ---------

vBulletin 4/5 does not properly sanitize client provided xmlrpc
attributes (e.g. client name)

allowing the remote xmlrpc client to inject code into the xmlrpc API
logging page.

Code is executed once an admin visits the API log page and clicks on the
API clients name.



risk: rather low - due to the fact that you the api key is required

you can probably use CVE-2014-2023 to obtain the api key





Details

- --------



vulnerable component:

./admincp/apilog.php?do=viewclient

apilog.php does not sanitize xmlrpc client provided data before passing
it to

print_label_row to generate the output page.





Proof of Concept (PoC)

- ----------------------



see https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2021





1) prerequesites

1.1) enable API, generate API-key

logon to AdminCP

goto "vBulletin API"->"API-Key" and enable the API interface,
generate key

goto "vBulletin API"->"API-Log" and enable all API logging

2) run PoC

edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)

run PoC, wait for SUCCESS! message

3) trigger exploit

logon to AdminCP

goto "vBulletin API"->"API-Log" and hit "view"

in search results click on "client name"

the injected msgbox pops up





Timeline

- --------



2014-01-14: initial vendor contact - no reply

2014-01-24: vendor contact - no reply

2014-10-13: public disclosure



Contact

- --------



tintinweb - https://github.com/tintinweb/pub/cve-2013-2021





(0x721427D8)

-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJUPDfoAAoJEBgB43t1YjbLsu8P/1m8lGQGk8MwjsbpcHsEkfdD

CPEivvYOUfQXQPas5iqTLmWGqJWFvpKm9pHX4+Iygq3ogeAO7cmefSEvltX55uuF

6LaikmhjYfJW1SutTKE375HGuBxRA2m1kuvBN2z2bY+yqDZXpKeO9Ho1YEYQJ79N

Q6Urz8WWO41tUhEJ2APdB6BhXIulEBM7Xogy2qlFoKD4Z7vNCt7olNTpe7+gzJe2

cZTiLMLMxndgkfb2evORcX/a9EdAeDPYvgQrmzmeUllZ24CK4C+JM2iOsRLSaIqf

uvbwv4ZKvtlX0LuAYTEk9N1gvDYnxEwHiv7+hsVYpSxHSLS+Nk77mir/LnZxsW9A

pz36AmavGekvi1hr7QYMLB/b4+TREeKKjA0XAf6eZbwDeNgSXLY2ptvY8Li+oRHL

qYPkwrDHm57FjG4LRgsYGBdzi7ALW1nRfBuh1KAbklavXSHitVsBJhREX/YsJ12g

ycbGqxkP4keSTqb61EHtW8hU41riPT5+XxhWgQRVVJvc3t5rp8ztzzTrbhsyz7PW

CQ5bTSR1rks0MRHaoEm9SrVvITIBrhGHpCplqWOKiEcSSHr0Q4RBxB8jr3n1eR1R

Nzzpp//PUBQazScCa3zJOrCrfOCJjmKPUZwqRRyook1hJRWj0IzVLVqUEUCuHCj9

skeeueYa1iweiHwNgZdn

=BO28

-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close