Thứ Tư, 1 tháng 8, 2012

vBulletin 4.2.0 XSS Vulnerability 

$------------------------------------------------------------------------------------------------------------
$ vBulletin 4.2.0 XSS Vulnerability 
$ Author : sangteamtham 
$ Home : Hcegroup.vn 
$ Download: http://members.vbulletin.com/ 
$ Date :06/13/2012 
$ Google Dork: "Powered by vBulletin® Version 4.2.0"
$ Twitter: http://twitter.com/Sangte_amtham
$************************************************************************************************************* 
1.vBulletin Description:

 Content publishing, search, security, and more— vBulletin has it all. 
 Whether it’s available features, support, or ease-of-use, vBulletin offers the most for your money. 
 Learn more about what makes vBulletin the choice for people who are serious about creating 
 thriving online communities.

2. Vulnerability Description:

To steal cookie from administrator or any member in a forum or drive them to malicious sites, attacker will firstly create an account, then come to 
calendar section, and create an event for himself. 

In title, he will inject XSS code there. For sample:

"><img src=x onerror=alert(1)> 

In content section, he will write everything he likes. Now, he will send his profile to Administrator or any member
and wait for cookie or victims' infection.

http://127.0.0.1/vbb/member.php?id-xyz

3. Patch:

June 13, 2012: Contacted the vendor. 
June 14, 2012: Vendor replied me.
June 18, 2012: the vendor released the patch for this vulnerabitily. Please download it from member Area right now.

https://members.vbulletin.com/patches.php

$************************************************************************************************************** 
$ Greetz to: All Vietnamese hackers and Hackers out there researching for more security 
$ 
$ 
$---------------------------------------------------------------------------------------------------------------
 
vBulletin 4.2 (Suite & Forum) PL2 Security Patch Now Available.



A recent vBulletin report indicated that there was a potential XSS 
exploit vector involving the new Activity Stream. Once the cause of the 
issue was isolated, code changes were made to eliminate the reported 
threat.



This issue affects ONLY vBulletin 4.2 (Suite & Forum).



A patch has been issued for vBulletin 4.2.



Patches are available at http://members.vbulletin.com.



As with all security-based releases, we recommend that all affected customers upgrade as soon as possible.



For additional information, click here 
 
Cho anh em nghịch trước khi nó public lên các site bug .



Đã làm video về khai thác bug này với xssf kết hợp với metasploit. Nhưng
 để lúc khác public sau. Dạo này bận quá, đang bị stress nặng với công 
việc 





Nói rõ hơn về lỗi này, nó nằm ở file event.php



Đường dẫn:



doc_root/vb/activitystream/view/perm/calendar/event.php



Line 74 đến 77.
1
2
3
4
5
public function fetchTemplate($templatename, $activity)
{
    $eventinfo =& $this->content['event'][$activity['contentid']];
    $calendarinfo =& $this->content['calendar'][$eventinfo['calendarid']];


Khi title của event xuất hiện trên Stream Activity, nó không được filter tốt, Nên nó sẽ tung ra lỗi.

Đoạn này ta fix bằng cách chèn thêm đoạn filter title của calendar.
1
2
3
4
5
6
public function fetchTemplate($templatename, $activity)
{
    $eventinfo =& $this->content['event'][$activity['contentid']];
    $calendarinfo =& $this->content['calendar'][$eventinfo['calendarid']];
        $eventinfo['title'] = htmlspecialchars_uni($eventinfo['title']);
Chuyên Mục:
Người đăng: vào lúc

2 nhận xét:

  1. Unknownlúc 13:20 8 tháng 9, 2012

    Anh chỉ em cách khai thác cụ thể hơn được không ạ.

    Trả lờiXóa
  2. Kẻ Chọc Giậnlúc 06:52 9 tháng 9, 2012

    http://kechocgianvn.blogspot.com/search/label/XSS ở đây có mấy bài viết nói về xss. c thử nghiên cứu xem. mình còn gà về cái này lắm

    Trả lờiXóa

Đăng ký: Đăng Nhận xét (Atom)