-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 --------------------------------------------------- | BuHa Security-Advisory #3 | Sep 17th, 2005 | | feat. SePro Bugtraq | | --------------------------------------------------- | Vendor | vBulletin | | URL | http://vbulletin.com/ | | Version | <= vBulletin 3.0.9 | | Risk | Moderate (SQL-Injection and | | | Arbitrary File Upload) | --------------------------------------------------- First of all I want to express my disappointment with the behavior of the vbulletin.com and vbulletin-germany.com team and the missing cooperation. We sent them a mail with a list of security issues and they immediately answered that they are going to look into these bugs. We never got another mail with information about the problems they fixed - they also did not inform us about the release of the latest version which *should* address all known security problems. So it comes as no surprise that they missed to fix a lot of moderate security bugs in the latest version. They did not consider it necessary to release *any* information about patched security problems in their announcement [1] for the current version too. Some thanks/credits for our trouble/time with the audit would have been a nice gesture but who cares. o Description: ============= vBulletin is a powerful, scalable and fully customizable forums package for your web site. It has been written using the Web's quickest-growing scripting language; PHP, and is complemented with a highly efficient and ultra fast back-end database engine built using MySQL. Visit http://vbulletin.com/ for detailed information. o SQL-Injection: (Fixed in vB 3.0.9) =============== > /joinrequests.php: POST: > /admincp/user.php: GET: GET: > /admincp/usertitle.php: GET: > /admincp/usertools.php: GET: o XSS: (Fixed in vB 3.0.9) ===== > /admincp/css.php: GET: > /admincp/index.php: GET: > /admincp/user.php: GET: > /admincp/language.php: GET: > /admincp/modlog.php: GET: > /admincp/template.php: GET: GET: GET: /admincp/image.php: POST: POST: POST: This issue is not addressed in vBulletin 3.0.9. o Unpatched Bugs: ================ > /modcp/announcement.php: POST: > /modcp/user.php: GET: There are still a lot of security related bugs in the administrator panel of the vBulletin software. An authorized user could elevate his privileges and read sensitive data. > /admincp/admincalendar.php: POST: POST: > /admincp/cronlog.php: POST: POST: > /admincp/email.php: POST: > /admincp/help.php: POST: > /admincp/language.php: POST: > /admincp/phrase.php: POST: > /admincp/usertools.php: POST: Even a privileged user should not be able to add posts, titles, announcements etc. with HTML/JavaScript-Code in it. > Not properly filtered: (XSS) o Disclosure Timeline: ===================== 20 Jul 05 - Security flaws discovered. 29 Jul 05 - Vendor contacted. 09 Sep 05 - Vendor released 'bugfixed' version. 17 Sep 05 - Public release. o Solution: ========== Upgrade to vBulletin 3.0.9 [1] to fix some of the issues mentioned in this advisory. Maybe the next vBulletin release fixes the still unpatched security related bugs. o Credits: ========= deluxe - --- Thomas Waldegger BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq@morph3us.org' is more a spam address than a regular mail address therefore it's possible that I ignore some mails. Please use the contact details at http://morph3us.org/ to contact me. Greets fly out to cyrus-tc, destructor, nait, rhy (you Pongo-Pongo king, eh!1! :oP), trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt [1] http://www.vbulletin.com/forum/showthread.php?p=961409 - -- M$ is not the answer. M$ is the question. The answer is NO!!1! BuHa-Security Community: http://buha.info/board/ -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFDLTrpUXI2fw/BTWcRAjAMAKCqHE41PnbTjdGl65R8H7Ju7B0CBwCgp/dd +nRt0ghXoiA88M54F/MIy1U= =zg38 -----END PGP SIGNATURE-----