RE: vBulletin Security Vulnerability
I published this vuln. in 06.08.2003
http://ferruh.mavituna.com/article/?256
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0078.html
------------------------------------------------------
History
------------------------------------------------------
Discovered : 15.07.2003
Vendor Informed : 29.07.2003
Published : 06.08.2003
Ferruh.Mavituna
http://feruh.mavituna.com
PGPKey : http://ferruh.mavituna.com/PGPKey.asc
-----Original Message-----
From: gcf@xxxxxxxx [mailto:gcf@xxxxxxxx]
Sent: Tuesday, January 20, 2004 8:06 PM
To: bugtraq@xxxxxxxxxxxxxxxxx; vuln-dev@xxxxxxxxxxxxxxxxx
Subject: vBulletin Security Vulnerability
*** PGP SIGNATURE VERIFICATION ***
*** Status: Unknown Signature
*** Signer: Unknown Key (0xF12B25CA)
*** Signed: 1/20/2004 8:08:27 PM
*** Verified: 1/20/2004 10:19:33 PM
*** BEGIN PGP VERIFIED MESSAGE ***
- -------------------------------------------------------
GERMAN COMPUTER FREAKS - SECURITY ADVISORY - SINCE 1997
January 20st, 2003
- -------------------------------------------------------
Software : vBulletin Bulletin Board
Vendor : Jelsoft Enterprises Limited / inGame GmbH
Vulnerability : Cross Site Scripting
Status : Author has been notified
- ------------------------------------------------------
- - - Description
vBulletin Bulletin Board derivatives contain a security bug
that may lead to disclosure of private informations due to a
cross site scripting attack.
This vulnerability may enable an attacker to transmit sensitive
informations like 'encrypted' passwords, user identification
numbers or forum passwords to another server.
Currently, we will refrain from publishing proof of concept
information to mitigate the impact of this vulnerability.
- - - Technical Details
Due to an improper quoted field in register.php it's possible
to inject malicious HTML code. With the use of Javascript code
an attack is then able to send sensitive informations (like
cookies) to a foreign server.
Attack Example:
<form action="http://www.VULN-BOARD.com/register.php" method="GET">
<input type="hidden" name="reg_site"
value="<SCRIPT><!-- EVIL CODE //--></SCRIPT>"/>
<input type="text" name="email" value="" />
<input type="submit" value="Show my cookies" />
- - - Patch
The vendor released a patch for this vulnerability.
- - - Closing Words
07.01.04 Contacting the board developers and explaining the vulnerability
08.01.04 Developing a proof of concept tool (undisclosed)
20.01.04 Disclosure of this advisory to public
- - - Greets
This bug was found by Darkwell. We would like to great Natok!
He's great!
_________________ ___________
/ _____/\_ ___ \\_ _____/
/ \ ___/ \ \/ | __)
\ \_\ \ \____| \
\______ /\______ /\___ /
\/ \/ \/
The German Computer Freaks
www.gcf.de Since 1997 /\
/ \
____________________________________________________________/ # /
\ /
\/
*** END PGP VERIFIED MESSAGE ***
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Ferruh.Mavituna
http://feruh.mavituna.com
PGPKey : http://ferruh.mavituna.com/PGPKey.asc
-----Original Message-----
From: gcf@xxxxxxxx [mailto:gcf@xxxxxxxx]
Sent: Tuesday, January 20, 2004 8:06 PM
To: bugtraq@xxxxxxxxxxxxxxxxx; vuln-dev@xxxxxxxxxxxxxxxxx
Subject: vBulletin Security Vulnerability
*** PGP SIGNATURE VERIFICATION ***
*** Status: Unknown Signature
*** Signer: Unknown Key (0xF12B25CA)
*** Signed: 1/20/2004 8:08:27 PM
*** Verified: 1/20/2004 10:23:03 PM
*** BEGIN PGP VERIFIED MESSAGE ***
- -------------------------------------------------------
GERMAN COMPUTER FREAKS - SECURITY ADVISORY - SINCE 1997
January 20st, 2003
- -------------------------------------------------------
Software : vBulletin Bulletin Board
Vendor : Jelsoft Enterprises Limited / inGame GmbH
Vulnerability : Cross Site Scripting
Status : Author has been notified
- ------------------------------------------------------
- - - Description
vBulletin Bulletin Board derivatives contain a security bug
that may lead to disclosure of private informations due to a
cross site scripting attack.
This vulnerability may enable an attacker to transmit sensitive
informations like 'encrypted' passwords, user identification
numbers or forum passwords to another server.
Currently, we will refrain from publishing proof of concept
information to mitigate the impact of this vulnerability.
- - - Technical Details
Due to an improper quoted field in register.php it's possible
to inject malicious HTML code. With the use of Javascript code
an attack is then able to send sensitive informations (like
cookies) to a foreign server.
Attack Example:
<form action="http://www.VULN-BOARD.com/register.php" method="GET">
<input type="hidden" name="reg_site"
value="<SCRIPT><!-- EVIL CODE //--></SCRIPT>"/>
<input type="text" name="email" value="" />
<input type="submit" value="Show my cookies" />
- - - Patch
The vendor released a patch for this vulnerability.
- - - Closing Words
07.01.04 Contacting the board developers and explaining the vulnerability
08.01.04 Developing a proof of concept tool (undisclosed)
20.01.04 Disclosure of this advisory to public
- - - Greets
This bug was found by Darkwell. We would like to great Natok!
He's great!
_________________ ___________
/ _____/\_ ___ \\_ _____/
/ \ ___/ \ \/ | __)
\ \_\ \ \____| \
\______ /\______ /\___ /
\/ \/ \/
The German Computer Freaks
www.gcf.de Since 1997 /\
/ \
____________________________________________________________/ # /
\ /
\/
*** END PGP VERIFIED MESSAGE ***
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427