Home page logo

bugtraq logo Bugtraq mailing list archives

[BuHa-Security] Multiple vulnerabilities in (admincp/modcp of) vBulletin 3.0.8/9
From: bugtraq () morph3us org
Date: 18 Sep 2005 10:29:48 -0000

Hash: SHA1
| BuHa Security-Advisory #3     |    Sep 17th, 2005 |
| feat. SePro Bugtraq           |                   |
| Vendor   | vBulletin                              |
| URL      | http://vbulletin.com/                  |
| Version  | <= vBulletin 3.0.9                     |
| Risk     | Moderate (SQL-Injection and            |
|          |           Arbitrary File Upload)       |

First of all I want to express my disappointment with the behavior of
the vbulletin.com and vbulletin-germany.com team and the missing
cooperation. We sent them a mail with a list of security issues and they
immediately answered that they are going to look into these bugs. We
never got another mail with information about the problems they fixed -
they also did not inform us about the release of the latest version
which *should* address all known security problems. So it comes as no
surprise that they missed to fix a lot of moderate security bugs in the
latest version. They did not consider it necessary to release *any*
information about patched security problems in their announcement [1]
for the current version too. Some thanks/credits for our trouble/time
with the audit would have been a nice gesture but who cares.

o Description:

vBulletin is a powerful, scalable and fully customizable forums package
for your web site. It has been written using the Web's quickest-growing
scripting language; PHP, and is complemented with a highly efficient
and ultra fast back-end database engine built using MySQL.

Visit http://vbulletin.com/ for detailed information.

o SQL-Injection: (Fixed in vB 3.0.9)

POST: <do=processjoinrequests&usergroupid=22&request[[SQL-Injection]]=0>

GET: <do=find&orderby=username&limitnumber=[SQL-Injection]>
GET: <do=find&orderby=username&limitstart=[SQL-Injection]>

GET: <do=edit&usertitleid=0XF>

GET: <do=pmuserstats&ids=0XF>

o XSS: (Fixed in vB 3.0.9)

GET: <do=doedit&dostyleid=1&group=[XSS]>

GET: <redirect=[XSS]>

GET: <do=emailpassword&email=[XSS]>

GET: <do=rebuild&goto=[XSS]>

GET: <do=view&orderby=[XSS]>

GET: <do=colorconverter&hex=[XSS]>
GET: <do=colorconverter&rgb=[XSS]>
GET: <do=modify&expandset=[XSS]

o Arbitrary File Upload:

An user with access to administrator panel (e.g. (Co)Administrator) and
the privilege to add avatars/icons/smileys is able to upload arbitrary
files. An attacker is able to gain the ability to execute commands under
the context of the web server.

POST: <do=upload&table=avatar>
POST: <do=upload&table=icon>
POST: <do=upload&table=smilie>

This issue is not addressed in vBulletin 3.0.9.

o Unpatched Bugs:

POST: <do=update&announcementid=1&start=24-07-05&end=30-07-05

GET: <do=avatar&userid=0XF>

There are still a lot of security related bugs in the administrator
panel of the vBulletin software. An authorized user could elevate his
privileges and read sensitive data.

POST: <do=update&calendarid=1&calendar[daterange]=1970-2030&
POST: <do=updatemod&moderatorid=1&moderator[calendarid]=0XF>

POST: <do=doprunelog&cronid=0XF>
POST: <do=prunelog&cronid=0XF>

POST: <do=makelist&user[usergroupid][0]=[SQL-Injection]>

POST: <do=doedit&help[script]=1&help[0]=[SQL-Injection]>

POST: <do=update&rvt[0]=[SQL-Injection]>

POST: <do=completeorphans&keep[0]=[SQL-Injection]>

POST: <do=updateprofilepic>

Even a privileged user should not be able to add posts, titles,
announcements etc. with HTML/JavaScript-Code in it.

Not properly filtered: (XSS)

o Disclosure Timeline:

20 Jul 05 - Security flaws discovered.
29 Jul 05 - Vendor contacted.
09 Sep 05 - Vendor released 'bugfixed' version.
17 Sep 05 - Public release.

o Solution:

Upgrade to vBulletin 3.0.9 [1] to fix some of the issues mentioned in
this advisory. Maybe the next vBulletin release fixes the still
unpatched security related bugs.

o Credits:

deluxe <deluxe () security-project org>

- ---

Thomas Waldegger <bugtraq () morph3us org>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq () morph3us org' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy (you Pongo-Pongo king,
eh!1! :oP), trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt

[1] http://www.vbulletin.com/forum/showthread.php?p=961409

- --
M$ is not the answer. M$ is the question. The answer is NO!!1!
BuHa-Security Community: http://buha.info/board/

Version: n/a
Comment: http://morph3us.org/


  By Date           By Thread  

Current thread:
  • [BuHa-Security] Multiple vulnerabilities in (admincp/modcp of) vBulletin 3.0.8/9 bugtraq (Sep 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]