1 thg 8, 2012

vBulletin 4.2.0 XSS Vulnerability

$------------------------------------------------------------------------------------------------------------
$ vBulletin 4.2.0 XSS Vulnerability
$ Author : sangteamtham
$ Home : Hcegroup.vn
$ Download: http://members.vbulletin.com/
$ Date :06/13/2012
$ Google Dork: "Powered by vBulletin® Version 4.2.0"
$ Twitter: http://twitter.com/Sangte_amtham
$*************************************************************************************************************
1.vBulletin Description:

Content publishing, search, security, and more— vBulletin has it all.
Whether it’s available features, support, or ease-of-use, vBulletin offers the most for your money.
Learn more about what makes vBulletin the choice for people who are serious about creating
thriving online communities.

2. Vulnerability Description:

To steal cookie from administrator or any member in a forum or drive them to malicious sites, attacker will firstly create an account, then come to
calendar section, and create an event for himself.

In title, he will inject XSS code there. For sample:

"><img src=x onerror=alert(1)>

In content section, he will write everything he likes. Now, he will send his profile to Administrator or any member
and wait for cookie or victims' infection.

http://127.0.0.1/vbb/member.php?id-xyz

3. Patch:

June 13, 2012: Contacted the vendor.
June 14, 2012: Vendor replied me.
June 18, 2012: the vendor released the patch for this vulnerabitily. Please download it from member Area right now.

https://members.vbulletin.com/patches.php

$**************************************************************************************************************
$ Greetz to: All Vietnamese hackers and Hackers out there researching for more security
$
$
$---------------------------------------------------------------------------------------------------------------
 
vBulletin 4.2 (Suite & Forum) PL2 Security Patch Now Available.



A recent vBulletin report indicated that there was a potential XSS
exploit vector involving the new Activity Stream. Once the cause of the
issue was isolated, code changes were made to eliminate the reported
threat.



This issue affects ONLY vBulletin 4.2 (Suite & Forum).



A patch has been issued for vBulletin 4.2.



Patches are available at http://members.vbulletin.com.



As with all security-based releases, we recommend that all affected customers upgrade as soon as possible.



For additional information, click here 
 
Cho anh em nghịch trước khi nó public lên các site bug .



Đã làm video về khai thác bug này với xssf kết hợp với metasploit. Nhưng
để lúc khác public sau. Dạo này bận quá, đang bị stress nặng với công
việc





Nói rõ hơn về lỗi này, nó nằm ở file event.php



Đường dẫn:



doc_root/vb/activitystream/view/perm/calendar/event.php



Line 74 đến 77.


































1
2
3
4
5
public function fetchTemplate($templatename, $activity)
{
    $eventinfo =& $this->content['event'][$activity['contentid']];
    $calendarinfo =& $this->content['calendar'][$eventinfo['calendarid']];


Khi title của event xuất hiện trên Stream Activity, nó không được filter tốt, Nên nó sẽ tung ra lỗi.

Đoạn này ta fix bằng cách chèn thêm đoạn filter title của calendar.
1
2
3
4
5
6
public function fetchTemplate($templatename, $activity)
{
    $eventinfo =& $this->content['event'][$activity['contentid']];
    $calendarinfo =& $this->content['calendar'][$eventinfo['calendarid']];
        $eventinfo['title'] = htmlspecialchars_uni($eventinfo['title']);

Không có nhận xét nào:

Đăng nhận xét