[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

vBulletin - Insecure Custom BBCode Tags

vBulletin - Insecure Custom BBCode Tags

Versions Affected: 3.8.4 PL2 (Most likely all versions)

Content publishing, search, security, and more?vBulletin has it all. Whether
it?s available features, support, or ease-of-use, vBulletin offers the most for
your money. Learn more about what makes vBulletin the choice for people
who are serious about creating thriving online communities.

External Links:

-:: The Advisory ::-

A vulnerability exists within vBulletin which makes an attacker able to inject
code such as HTML or Javascript via custom BBCode Tags IF they follow certain
conditions which are described below.

- User-input must be located inside a variable in a HTML-tag.
- Apostrophes or nothing must be used for encapsulation.

Insecure Implementations:

- Example 1 (src is insecure)
<img src='{param}' style='border-width:5px;border-color:red;border-style:outset;' />

- Example 2 (href is insecure)
<a href={option} style=border-width:5px;border-color:red;border-style:outset;>{param}</a>

Exploitation of Above Implementations:

- Example 1 (PoC)
[BadTag]x:x' onerror=alert(0) foo='[/BadTag]

- Example 2 (PoC)
[BadTag2=fail onmouseover=alert(0)]Link[/BadTag2]

-:: Solution ::-

Sanitize BBCode with htmlentities($var, ENT_QUOTES); or htmlspecialchars($var); in the PHP files.
(Jelsoft should fix this, however I may provide a patch if they don't.)

Alternatively don't use BBCode with apostrophes where user-input is inside a variable.

Examples of "Secure Implementation":
<img src="{param}" style='border-width:5px;border-color:red;border-style:outset;' />
[ + ] Note that src's value is encapsulated with quotes.

<a href="{option}" style=border-width:5px;border-color:red;border-style:outset; />{param}</a>
[ + ] Note that href's value is encapsulated with quotes.

Disclosure Information:
- Vulnerability found the 29th April 2010
- Vendor and Buqtraq (SecurityFocus) was contacted the 29th April
- Disclosed on InterN0T the 29th April


All of the best,