what you don't know can hurt you

20050917-vbulletin-3.0.8.txt

20050917-vbulletin-3.0.8.txt
Posted Sep 22, 2005
Authored by Thomas Waldegger, deluxe

vBulletin versions 3.0.9 and below suffer from multiple SQL injection, cross site scripting, and arbitrary file upload vulnerabilities. Detailed exploitation provided.

tags | exploit, arbitrary, vulnerability, xss, sql injection, file upload
MD5 | a55c483d1d473d27f073633e4bc8d781

20050917-vbulletin-3.0.8.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
---------------------------------------------------
| BuHa Security-Advisory #3 | Sep 17th, 2005 |
| feat. SePro Bugtraq | |
---------------------------------------------------
| Vendor | vBulletin |
| URL | http://vbulletin.com/ |
| Version | <= vBulletin 3.0.9 |
| Risk | Moderate (SQL-Injection and |
| | Arbitrary File Upload) |
---------------------------------------------------

First of all I want to express my disappointment with the behavior of
the vbulletin.com and vbulletin-germany.com team and the missing
cooperation. We sent them a mail with a list of security issues and they
immediately answered that they are going to look into these bugs. We
never got another mail with information about the problems they fixed -
they also did not inform us about the release of the latest version
which *should* address all known security problems. So it comes as no
surprise that they missed to fix a lot of moderate security bugs in the
latest version. They did not consider it necessary to release *any*
information about patched security problems in their announcement [1]
for the current version too. Some thanks/credits for our trouble/time
with the audit would have been a nice gesture but who cares.

o Description:
=============

vBulletin is a powerful, scalable and fully customizable forums package
for your web site. It has been written using the Web's quickest-growing
scripting language; PHP, and is complemented with a highly efficient
and ultra fast back-end database engine built using MySQL.

Visit http://vbulletin.com/ for detailed information.

o SQL-Injection: (Fixed in vB 3.0.9)
===============

> /joinrequests.php:
POST: <do=processjoinrequests&usergroupid=22&request[[SQL-Injection]]=0>

> /admincp/user.php:
GET: <do=find&orderby=username&limitnumber=[SQL-Injection]>
GET: <do=find&orderby=username&limitstart=[SQL-Injection]>

> /admincp/usertitle.php:
GET: <do=edit&usertitleid=0XF>

> /admincp/usertools.php:
GET: <do=pmuserstats&ids=0XF>

o XSS: (Fixed in vB 3.0.9)
=====

> /admincp/css.php:
GET: <do=doedit&dostyleid=1&group=[XSS]>

> /admincp/index.php:
GET: <redirect=[XSS]>

> /admincp/user.php:
GET: <do=emailpassword&email=[XSS]>

> /admincp/language.php:
GET: <do=rebuild&goto=[XSS]>

> /admincp/modlog.php:
GET: <do=view&orderby=[XSS]>

> /admincp/template.php:
GET: <do=colorconverter&hex=[XSS]>
GET: <do=colorconverter&rgb=[XSS]>
GET: <do=modify&expandset=[XSS]

o Arbitrary File Upload:
=======================

An user with access to administrator panel (e.g. (Co)Administrator) and
the privilege to add avatars/icons/smileys is able to upload arbitrary
files. An attacker is able to gain the ability to execute commands under
the context of the web server.

> /admincp/image.php:
POST: <do=upload&table=avatar>
POST: <do=upload&table=icon>
POST: <do=upload&table=smilie>

This issue is not addressed in vBulletin 3.0.9.

o Unpatched Bugs:
================

> /modcp/announcement.php:
POST: <do=update&announcementid=1&start=24-07-05&end=30-07-05
&announcement[0]=[SQL-Injection]>

> /modcp/user.php:
GET: <do=avatar&userid=0XF>

There are still a lot of security related bugs in the administrator
panel of the vBulletin software. An authorized user could elevate his
privileges and read sensitive data.

> /admincp/admincalendar.php:
POST: <do=update&calendarid=1&calendar[daterange]=1970-2030&
calendar[0]=[SQL-Injection]>
POST: <do=updatemod&moderatorid=1&moderator[calendarid]=0XF>

> /admincp/cronlog.php:
POST: <do=doprunelog&cronid=0XF>
POST: <do=prunelog&cronid=0XF>

> /admincp/email.php:
POST: <do=makelist&user[usergroupid][0]=[SQL-Injection]>

> /admincp/help.php:
POST: <do=doedit&help[script]=1&help[0]=[SQL-Injection]>

> /admincp/language.php:
POST: <do=update&rvt[0]=[SQL-Injection]>

> /admincp/phrase.php:
POST: <do=completeorphans&keep[0]=[SQL-Injection]>

> /admincp/usertools.php:
POST: <do=updateprofilepic>

Even a privileged user should not be able to add posts, titles,
announcements etc. with HTML/JavaScript-Code in it.

> Not properly filtered: (XSS)
</admincp/announcement.php>
</admincp/admincalendar.php>
</admincp/bbcode.php>
</admincp/cronadmin.php>
</admincp/email.php?do=genlist>
</admincp/faq.php?do=add>
</admincp/forum.php?do=add>
</admincp/image.php?do=add&table=avatar/icon/smilie>
</admincp/language.php>
</admincp/ranks.php?do=add>
</admincp/replacement.php?do=add>
</admincp/replacement.php?do=edit>
</admincp/template.php?do=addstyle>
</admincp/template.php?do=edit>
</admincp/usergroup.php?do=add>
</admincp/usertitle.php>

o Disclosure Timeline:
=====================

20 Jul 05 - Security flaws discovered.
29 Jul 05 - Vendor contacted.
09 Sep 05 - Vendor released 'bugfixed' version.
17 Sep 05 - Public release.

o Solution:
==========

Upgrade to vBulletin 3.0.9 [1] to fix some of the issues mentioned in
this advisory. Maybe the next vBulletin release fixes the still
unpatched security related bugs.

o Credits:
=========

deluxe <deluxe@security-project.org>

- ---

Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@morph3us.org' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy (you Pongo-Pongo king,
eh!1! :oP), trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt

[1] http://www.vbulletin.com/forum/showthread.php?p=961409

- --
M$ is not the answer. M$ is the question. The answer is NO!!1!
BuHa-Security Community: http://buha.info/board/

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFDLTrpUXI2fw/BTWcRAjAMAKCqHE41PnbTjdGl65R8H7Ju7B0CBwCgp/dd
+nRt0ghXoiA88M54F/MIy1U=
=zg38
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close