vBulletin 目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1190141 漏洞类型 跨站脚本
发布时间 2007-06-21 更新时间 2007-06-21
CVE编号 CVE-2007-3326 CNNVD-ID CNNVD-200706-360
漏洞平台 N/A CVSS评分 5.8
|漏洞来源
https://www.securityfocus.com/bid/81726
https://cxsecurity.com/issue/WLB-2007060081
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200706-360
|漏洞详情
vBulletin中存在多个目录遍历漏洞。远程攻击者可以借助提交到admincp/index.php的(1)loc参数中的..和showthread.php中的Hyperlink信息URI字段,重定向访问者到任意的本地文件。
|漏洞EXP
+--------------------------------------------------------------------
+
+ New Include Redirect Bug XSS All vBulletin® v 3.x.x
+
+--------------------------------------------------------------------
+ vendor site........: http://www.vbulletin.com/
+ Affected Software .: vbulletin
+ Class .............: XSS
+ Risk ..............: Low
+ Found by ..........: rUnViRuS
+ Original advisory .: http://www.sec-area.com/
+ Contact ...........: stormhacker[at]hotmail[.]com
+
+--------------------------------------------------------------------
New Include Redirect Bug XSS All vBulletin v 3.x.x

This injections would allow an attacker to Include Redirect Admin to a page of his choice, effectively
Xss the page and steal cookie :

xss permanent ( must be Upload any File on Site Have Xss code ) PoC :

<script>alert(document.cookie)</script>.

to be used with cookie stealer following is a simple attack :-

http://localhost/vb/admincp/index.php?loc=../../../nez.txt

When opened url Will stealing cookies
+--------------------------------------------------------------------
+ [W]orld [D]efacers [T]eam
+ Greets:
+ || rUnViRuS || - || Provide || - || HeX || - || dEv!L RoOT || + || BlackWHITE || - || dOcnok || - || A.tar0uDant.D ||
+ || Pro Hacker || - || DARKFIRE || - || papipsycho ||
+ Sp.Thanx To : Sec-Area.com Member's
+-------------------------[ W D T ]----------------------------------
|受影响的产品
Jelsoft vBulletin 3.0.0
|参考资料

来源:BUGTRAQ
名称:20070620NewIncludeRedirectBugXSSAllvBulletin®v3.x.x
链接:http://www.securityfocus.com/archive/1/archive/1/471838/100/0/threaded
来源:BUGTRAQ
名称:20070620NewpostTopicHijackingXSSAllvBulletin®v3.x.x(2)
链接:http://www.securityfocus.com/archive/1/archive/1/471835/100/0/threaded
来源:XF
名称:vbulletin-index-directory-traversal(34956)
链接:http://xforce.iss.net/xforce/xfdb/34956
来源:SREASON
名称:2820
链接:http://securityreason.com/securityalert/2820