vbulletin 4 profile customization exploit?

**reefland** · Sun 14 Nov '10, 8:15am

I have disabled mine as well until I hear further.

**Ace** · Sun 14 Nov '10, 8:49am

Unless it's Twitter lagging... back to the point where Jelsoft would have been the group to be concerned about it..

**rootsxrocks** · Sun 14 Nov '10, 9:37am

Just great ! I was just promoting the return of custom profiles ! If this is an Issue I would like to know ASAP !

**IB Adrian** · Sun 14 Nov '10, 10:32am

We are investigating it - and should have an answer first thing tomorrow.
Our understanding at this point in time is that it may only affect the user profile page itself - not the actual site, and isn't a serious concern.
Adrian

**Loco.M** · Sun 14 Nov '10, 6:58pm

Originally posted by IB Adrian

We are investigating it - and should have an answer first thing tomorrow.
Our understanding at this point in time is that it may only affect the user profile page itself - not the actual site, and isn't a serious concern.
Adrian

thank you for confirming

**rootsxrocks** · Mon 15 Nov '10, 6:40am

I did customize my profile , only to return later and find it was reverted to the default, I assumed I somehow hit the button I hope it was not that someone outside the forum was able to modify it.

**Kevin Sours** · Mon 15 Nov '10, 6:48am

There is an exploit within the profile editor code, however that code is only loaded for the user who owns the profile. The result is that you can only be affected by the exploit if you are logged in as the same user who entered the exploit code. Anybody else how views the profile page will not have permissions to edit the profile and will load the profile editor code and so won't get the malicious code. The result is that the risk for this issue is extremely low.
Kevin

**Loco.M** · Mon 15 Nov '10, 7:02am

when can we expect a patch?

**IB Adrian** · Mon 15 Nov '10, 11:12am

Given the nature of this issue, in that as an end user you can only exploit it for your profile, and the exploit only is displayed for you, we have downgraded its priority are going to release it as part of our next release, which we should have available next week.
Adrian

**Ace** · Thu 18 Nov '10, 9:09am

Given that already-"exploited" profiles don't get fixed by the patch, is there a query or other command that can be run to reset the variables?

**Kevin Sours** · Thu 18 Nov '10, 10:49am

Originally posted by Ace

Given that already-"exploited" profiles don't get fixed by the patch, is there a query or other command that can be run to reset the variables?

Can you PM me with a description of what you are seeing and how you got there? I'd like to understand the situation better before I try to answer questions.
Kevin

**Cody Tubbs** · Fri 19 Nov '10, 7:37am

This bug doesn't "exploit" other user custom profiles.

XSS is an exploitation vector that relies on users to view the page that is infected with the stored XSS code. It can be used to gather your session information, cookies, or keylog if enough space is allowed in the buffer the XSS is stored in, to store enough malicious JS code.
In this case, someone can only store the XSS code on their own profile, not an arbitrary users custom profile, so if the question is "is my profile safe", yes, this bug does not allow arbitrary XSS on any profile, only the attackers profile. This does not mean the attacker can't obfuscate a link to his own profile via tinyurl, etc and start throwing that url all over the forum to trick people into viewing his page, in-turn gathering everyones sessions/cookies and taking control of their sessions. He says someone was contacted on the 11th, does anyone know who?

**Cody Tubbs** · Fri 19 Nov '10, 8:28am

Furthermore, the demonstration the fellow used for this XSS bug was accompanied by a rendering bug in windows from 2004. If you haven't patched your windows installation since 2004 you have bigger problems.

I may add though that true 0day for windows could have been used in replacement of microsoft bug ID ms07 017.

**Loco.M** · Mon 22 Nov '10, 9:08pm

I see a 2nd patch has been issued, think we can get this locked down?

vBulletin 4 End of Life

vbulletin 4 profile customization exploit?

[Forum] vbulletin 4 profile customization exploit?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment