-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 --------------------------------------------------- | BuHa Security-Advisory #3 | Sep 17th, 2005 | | feat. SePro Bugtraq | | --------------------------------------------------- | Vendor | vBulletin | | URL | http://vbulletin.com/ | | Version | <= vBulletin 3.0.9 | | Risk | Moderate (SQL-Injection and | | | Arbitrary File Upload) | --------------------------------------------------- First of all I want to express my disappointment with the behavior of the vbulletin.com and vbulletin-germany.com team and the missing cooperation. We sent them a mail with a list of security issues and they immediately answered that they are going to look into these bugs. We never got another mail with information about the problems they fixed - they also did not inform us about the release of the latest version which *should* address all known security problems. So it comes as no surprise that they missed to fix a lot of moderate security bugs in the latest version. They did not consider it necessary to release *any* information about patched security problems in their announcement [1] for the current version too. Some thanks/credits for our trouble/time with the audit would have been a nice gesture but who cares. o Description: ============= vBulletin is a powerful, scalable and fully customizable forums package for your web site. It has been written using the Web's quickest-growing scripting language; PHP, and is complemented with a highly efficient and ultra fast back-end database engine built using MySQL. Visit http://vbulletin.com/ for detailed information. o SQL-Injection: (Fixed in vB 3.0.9) =============== > /joinrequests.php: POST: <do=processjoinrequests&usergroupid=22&request[[SQL-Injection]]=0> > /admincp/user.php: GET: <do=find&orderby=username&limitnumber=[SQL-Injection]> GET: <do=find&orderby=username&limitstart=[SQL-Injection]> > /admincp/usertitle.php: GET: <do=edit&usertitleid=0XF> > /admincp/usertools.php: GET: <do=pmuserstats&ids=0XF> o XSS: (Fixed in vB 3.0.9) ===== > /admincp/css.php: GET: <do=doedit&dostyleid=1&group=[XSS]> > /admincp/index.php: GET: <redirect=[XSS]> > /admincp/user.php: GET: <do=emailpassword&email=[XSS]> > /admincp/language.php: GET: <do=rebuild&goto=[XSS]> > /admincp/modlog.php: GET: <do=view&orderby=[XSS]> > /admincp/template.php: GET: <do=colorconverter&hex=[XSS]> GET: <do=colorconverter&rgb=[XSS]> GET: <do=modify&expandset=[XSS] o Arbitrary File Upload: ======================= An user with access to administrator panel (e.g. (Co)Administrator) and the privilege to add avatars/icons/smileys is able to upload arbitrary files. An attacker is able to gain the ability to execute commands under the context of the web server. > /admincp/image.php: POST: <do=upload&table=avatar> POST: <do=upload&table=icon> POST: <do=upload&table=smilie> This issue is not addressed in vBulletin 3.0.9. o Unpatched Bugs: ================ > /modcp/announcement.php: POST: <do=update&announcementid=1&start=24-07-05&end=30-07-05 &announcement[0]=[SQL-Injection]> > /modcp/user.php: GET: <do=avatar&userid=0XF> There are still a lot of security related bugs in the administrator panel of the vBulletin software. An authorized user could elevate his privileges and read sensitive data. > /admincp/admincalendar.php: POST: <do=update&calendarid=1&calendar[daterange]=1970-2030& calendar[0]=[SQL-Injection]> POST: <do=updatemod&moderatorid=1&moderator[calendarid]=0XF> > /admincp/cronlog.php: POST: <do=doprunelog&cronid=0XF> POST: <do=prunelog&cronid=0XF> > /admincp/email.php: POST: <do=makelist&user[usergroupid][0]=[SQL-Injection]> > /admincp/help.php: POST: <do=doedit&help[script]=1&help[0]=[SQL-Injection]> > /admincp/language.php: POST: <do=update&rvt[0]=[SQL-Injection]> > /admincp/phrase.php: POST: <do=completeorphans&keep[0]=[SQL-Injection]> > /admincp/usertools.php: POST: <do=updateprofilepic> Even a privileged user should not be able to add posts, titles, announcements etc. with HTML/JavaScript-Code in it. > Not properly filtered: (XSS) </admincp/announcement.php> </admincp/admincalendar.php> </admincp/bbcode.php> </admincp/cronadmin.php> </admincp/email.php?do=genlist> </admincp/faq.php?do=add> </admincp/forum.php?do=add> </admincp/image.php?do=add&table=avatar/icon/smilie> </admincp/language.php> </admincp/ranks.php?do=add> </admincp/replacement.php?do=add> </admincp/replacement.php?do=edit> </admincp/template.php?do=addstyle> </admincp/template.php?do=edit> </admincp/usergroup.php?do=add> </admincp/usertitle.php> o Disclosure Timeline: ===================== 20 Jul 05 - Security flaws discovered. 29 Jul 05 - Vendor contacted. 09 Sep 05 - Vendor released 'bugfixed' version. 17 Sep 05 - Public release. o Solution: ========== Upgrade to vBulletin 3.0.9 [1] to fix some of the issues mentioned in this advisory. Maybe the next vBulletin release fixes the still unpatched security related bugs. o Credits: ========= deluxe <deluxe@xxxxxxxxxxxxxxxxxxxx> - --- Thomas Waldegger <bugtraq@xxxxxxxxxxxx> BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq@xxxxxxxxxxxx' is more a spam address than a regular mail address therefore it's possible that I ignore some mails. Please use the contact details at http://morph3us.org/ to contact me. Greets fly out to cyrus-tc, destructor, nait, rhy (you Pongo-Pongo king, eh!1! :oP), trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt [1] http://www.vbulletin.com/forum/showthread.php?p=961409 - -- M$ is not the answer. M$ is the question. The answer is NO!!1! BuHa-Security Community: http://buha.info/board/ -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFDLTrpUXI2fw/BTWcRAjAMAKCqHE41PnbTjdGl65R8H7Ju7B0CBwCgp/dd +nRt0ghXoiA88M54F/MIy1U= =zg38 -----END PGP SIGNATURE-----