-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 ---------------------------------------------------
| BuHa Security-Advisory #3     |    Sep 17th, 2005 |
| feat. SePro Bugtraq           |                   |
 ---------------------------------------------------
| Vendor   | vBulletin                              |
| URL      | http://vbulletin.com/                  |
| Version  | <= vBulletin 3.0.9                     |
| Risk     | Moderate (SQL-Injection and            |
|          |           Arbitrary File Upload)       |
 ---------------------------------------------------

First of all I want to express my disappointment with the behavior of
the vbulletin.com and vbulletin-germany.com team and the missing
cooperation. We sent them a mail with a list of security issues and they
immediately answered that they are going to look into these bugs. We
never got another mail with information about the problems they fixed -
they also did not inform us about the release of the latest version
which *should* address all known security problems. So it comes as no
surprise that they missed to fix a lot of moderate security bugs in the
latest version. They did not consider it necessary to release *any*
information about patched security problems in their announcement [1]
for the current version too. Some thanks/credits for our trouble/time
with the audit would have been a nice gesture but who cares.

o Description:
=============

vBulletin is a powerful, scalable and fully customizable forums package
for your web site. It has been written using the Web's quickest-growing
scripting language; PHP, and is complemented with a highly efficient
and ultra fast back-end database engine built using MySQL.

Visit http://vbulletin.com/ for detailed information.

o SQL-Injection: (Fixed in vB 3.0.9)
===============

> /joinrequests.php:
POST: <do=processjoinrequests&usergroupid=22&request[[SQL-Injection]]=0>

> /admincp/user.php:
GET: <do=find&orderby=username&limitnumber=[SQL-Injection]>
GET: <do=find&orderby=username&limitstart=[SQL-Injection]>

> /admincp/usertitle.php:
GET: <do=edit&usertitleid=0XF>

> /admincp/usertools.php:
GET: <do=pmuserstats&ids=0XF>

o XSS: (Fixed in vB 3.0.9)
=====

> /admincp/css.php:
GET: <do=doedit&dostyleid=1&group=[XSS]>

> /admincp/index.php:
GET: <redirect=[XSS]>

> /admincp/user.php:
GET: <do=emailpassword&email=[XSS]>

> /admincp/language.php:
GET: <do=rebuild&goto=[XSS]>

> /admincp/modlog.php:
GET: <do=view&orderby=[XSS]>

> /admincp/template.php:
GET: <do=colorconverter&hex=[XSS]>
GET: <do=colorconverter&rgb=[XSS]>
GET: <do=modify&expandset=[XSS]

o Arbitrary File Upload:
=======================

An user with access to administrator panel (e.g. (Co)Administrator) and
the privilege to add avatars/icons/smileys is able to upload arbitrary
files. An attacker is able to gain the ability to execute commands under
the context of the web server.

> /admincp/image.php:
POST: <do=upload&table=avatar>
POST: <do=upload&table=icon>
POST: <do=upload&table=smilie>

This issue is not addressed in vBulletin 3.0.9.

o Unpatched Bugs:
================

> /modcp/announcement.php:
POST: <do=update&announcementid=1&start=24-07-05&end=30-07-05
&announcement[0]=[SQL-Injection]>

> /modcp/user.php:
GET: <do=avatar&userid=0XF>

There are still a lot of security related bugs in the administrator
panel of the vBulletin software. An authorized user could elevate his
privileges and read sensitive data.

> /admincp/admincalendar.php:
POST: <do=update&calendarid=1&calendar[daterange]=1970-2030&
calendar[0]=[SQL-Injection]>
POST: <do=updatemod&moderatorid=1&moderator[calendarid]=0XF>

> /admincp/cronlog.php:
POST: <do=doprunelog&cronid=0XF>
POST: <do=prunelog&cronid=0XF>

> /admincp/email.php:
POST: <do=makelist&user[usergroupid][0]=[SQL-Injection]>

> /admincp/help.php:
POST: <do=doedit&help[script]=1&help[0]=[SQL-Injection]>

> /admincp/language.php:
POST: <do=update&rvt[0]=[SQL-Injection]>

> /admincp/phrase.php:
POST: <do=completeorphans&keep[0]=[SQL-Injection]>

> /admincp/usertools.php:
POST: <do=updateprofilepic>

Even a privileged user should not be able to add posts, titles,
announcements etc. with HTML/JavaScript-Code in it.

> Not properly filtered: (XSS)
</admincp/announcement.php>
</admincp/admincalendar.php>
</admincp/bbcode.php>
</admincp/cronadmin.php>
</admincp/email.php?do=genlist>
</admincp/faq.php?do=add>
</admincp/forum.php?do=add>
</admincp/image.php?do=add&table=avatar/icon/smilie>
</admincp/language.php>
</admincp/ranks.php?do=add>
</admincp/replacement.php?do=add>
</admincp/replacement.php?do=edit>
</admincp/template.php?do=addstyle>
</admincp/template.php?do=edit>
</admincp/usergroup.php?do=add>
</admincp/usertitle.php>

o Disclosure Timeline:
=====================

20 Jul 05 - Security flaws discovered.
29 Jul 05 - Vendor contacted.
09 Sep 05 - Vendor released 'bugfixed' version.
17 Sep 05 - Public release.

o Solution:
==========

Upgrade to vBulletin 3.0.9 [1] to fix some of the issues mentioned in
this advisory. Maybe the next vBulletin release fixes the still
unpatched security related bugs.

o Credits:
=========

deluxe <deluxe@security-project.org>

- ---

Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@morph3us.org' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy (you Pongo-Pongo king,
eh!1! :oP), trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt

[1] http://www.vbulletin.com/forum/showthread.php?p=961409

- --
M$ is not the answer. M$ is the question. The answer is NO!!1!
BuHa-Security Community: http://buha.info/board/

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFDLTrpUXI2fw/BTWcRAjAMAKCqHE41PnbTjdGl65R8H7Ju7B0CBwCgp/dd
+nRt0ghXoiA88M54F/MIy1U=
=zg38
-----END PGP SIGNATURE-----