-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

 ---------------------------------------------------
| BuHa Security-Advisory #2     |    Sep 17th, 2005 |
| feat. SePro Bugtraq           |                   |
 ---------------------------------------------------
| Vendor   | vBulletin                              |
| URL      | http://vbulletin.com/                  |
| Version  | <= vBulletin 3.0.7                     |
| Risk     | Moderate (SQL-Injection and            |
|          |           Arbitrary File Upload)       |
 ---------------------------------------------------

The vBulletin team released version 3.0.8 of their software at the same
time as we dropped them a mail about several security related issues.
They already had addressed a couple of problems we mentioned in our mail
but they did not fix all named security issues so we decided to release
two advisories - one for the version 3.0.8 and the other one for the
latest version 3.0.9. Unfortunately the vBulletin team did not consider
it necessary to release *any* information about security problems in
their software to the public not to mention send us details about the
bugs they fixed therefore we have to determine the differences between
the versions on our own.

o Description:
=============

vBulletin is a powerful, scalable and fully customizable forums package
for your web site. It has been written using the Web's quickest-growing
scripting language; PHP, and is complemented with a highly efficient
and ultra fast back-end database engine built using MySQL. [...]

Visit http://vbulletin.com/ for detailed information.

o SQL-Injection:
===============

> /joinrequests.php:
POST: <do=processjoinrequests&usergroupid=22&request[[SQL-Injection]]=0>

A moderator is able to read sensitive data like Private Messages,
Password Hashes etc.

> /modcp/announcement.php:
POST: <do=update&announcementid=1&start=24-07-05&end=30-07-05
&announcement[0]=[SQL-Injection]>

> /modcp/thread.php:
POST: <do=dothreads&thread[forumid]=0XF>
POST: <do=dothreadssel&criteria=a:1:{s:7:"forumid";s:5:"aaaa'";}>

> /modcp/user.php:
GET: <do=avatar&userid=0XF>

There are a lot of security related bugs in the administrator panel of
the vBulletin software. An authorized user could elevate his privileges
and read sensitive data.

> /admincp/admincalendar.php:
GET: <do=addcustom&calendarcustomfieldid=[SQL-Injection]>
GET: <do=addmod&calendarid=[SQL-Injection]>
GET: <do=addmod&calendarid=1&moderatorid=[SQL-Injection]>
GET: <do=deletecustom&calendarcustomfieldid=[SQL-Injection]>
POST: <do=doremoveholiday&holidayid=[SQL-Injection]>
GET: <do=edit&calendarid=[SQL-Injection]>
POST: <do=kill&calendarid=[SQL-Injection]>
POST: <do=killmod&$calendarmoderatorid=[SQL-Injection]>
GET: <do=remove&calendarid=[SQL-Injection]>
POST: <do=removemod&moderatorid=[SQL-Injection]>
POST: <do=saveholiday&holidayinfo[title]=sepro&holidayid=0XF>
POST: <do=update&calendar[daterange]=2002-2008&calendarid=0XF>
GET: <do=updateholiday&holidayid=0XF>
POST: <do=update&calendarid=1&calendar[daterange]=1970-2030&
calendar[0]=[SQL-Injection]>
POST: <do=updatemod&calendarid=1&moderatorid=[SQL-Injection]>
POST: <do=updatemod&moderatorid=1&moderator[calendarid]=[SQL-Injection]>

> /admincp/cronlog.php:
POST: <do=doprunelog&cronid=0XF>
POST: <do=prunelog&cronid=0XF>

> /admincp/email.php:
POST: <do=makelist&user[usergroupid][0]=[SQL-Injection]>

> /admincp/help.php:
POST: <do=doedit&help[script]=1&help[0]=[SQL-Injection]>

> /admincp/user.php:
GET: <do=find&orderby=username&limitnumber=[SQL-Injection]>
GET: <do=find&orderby=username&limitstart=[SQL-Injection]>

> /admincp/usertitle.php:
GET: <do=edit&usertitleid=0XF>
GET: <do=pmuserstats&ids=0XF>

> /admincp/language.php:
POST: <do=update&rvt[0]=[SQL-Injection]>

> /admincp/phrase.php:
POST: <do=completeorphans&keep[0]=[SQL-Injection]>

> /admincp/template.php:
GET: <do=editstyle&dostyleid=[SQL-Injection]>
GET: <do=editstyle&dostyleid=[SQL-Injection]>
POST: <do=revertall&dostyleid=[SQL-Injection]>

> /admincp/thread.php::
POST: <do=dothreads&thread[forumid]=0XF>

> /admincp/usertools.php:
POST: <do=updateprofilepic>

Not included in standard vBulletin release:
> /admincp/vbugs_admin.php:
GET: <do=editseverity&vbug_severityid=[SQL-Injection]>
GET: <do=removeseverity&vbug_severityid=[SQL-Injection]>
GET: <do=updateseverity&vbug_severityid=[SQL-Injection]>

o Arbitrary File Upload:
=======================

Any user with access to administrator panel (e.g. (Co)Administrator) and
the privilege to add avatars/icons/smileys is able to upload arbitrary
files. An attacker is able to gain the ability to execute commands under
the context of the web server.

> /admincp/image.php:
POST: <do=upload&table=avatar>
POST: <do=upload&table=icon>
POST: <do=upload&table=smilie>

o XSS:
=====

> /modcp/index.php:
GET: <do=frames&loc=[XSS]>

> /modcp/user.php:
GET: <do=gethost&ip=[XSS]>

> /admincp/css.php:
GET: <do=doedit&dostyleid=1&group=[XSS]>

> /admincp/index.php:
GET: <redirect=[XSS]>
GET: <do=frames&loc=[XSS]>

> /admincp/user.php:
GET: <do=emailpassword&email=[XSS]>

> /admincp/usertitle.php:
GET: <do=gethost&ip=[XSS]>

> /admincp/language.php:
GET: <do=rebuild&goto=[XSS]>

> /admincp/modlog.php:
GET: <do=view&orderby=[XSS]>

> /admincp/template.php:
GET: <do=colorconverter&hex=[XSS]>
GET: <do=colorconverter&rgb=[XSS]>
GET: <do=modify&expandset=[XSS]>

Not included in standard vBulletin release:
> /admincp/vbugs_admin.php:
GET: <do=updateseverity&vbug_severityid=1%20/*[XSS]>

Even a privileged user should not be able to add posts, titles,
announcements etc. with HTML/JavaScript-Code in it.

> Not properly filtered: (XSS)

</admincp/announcement.php>
</admincp/admincalendar.php>
</admincp/bbcode.php>
</admincp/cronadmin.php>
</admincp/email.php?do=genlist>
</admincp/faq.php?do=add>
</admincp/forum.php?do=add>
</admincp/image.php?do=add&table=avatar/icon/smilie>
</admincp/language.php>
</admincp/ranks.php?do=add>
</admincp/replacement.php?do=add>
</admincp/replacement.php?do=edit>
</admincp/template.php?do=addstyle>
</admincp/template.php?do=edit>
</admincp/usergroup.php?do=add>
</admincp/usertitle.php>

o Disclosure Timeline:
=====================

20 Jul 05 - Security flaws discovered.
29 Jul 05 - Vendor contacted.
29 Jul 05 - Vendor released 'bugfixed' version.
17 Sep 05 - Public release.

o Solution:
==========

Upgrade to vBulletin 3.0.9 [1]

o Credits:
=========

deluxe <deluxe@security-project.org>
Security-Project - http://security-project.org/projects/board/

- - ---

Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@morph3us.org' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy (you Pongo-Pongo king,
eh!1! :oP), trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20050917-vbulletin-3.0.7.txt

[1] http://www.vbulletin.com/forum/showthread.php?p=961409

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFD9YF1kCo6/ctnOpYRA1PBAJsHGa6U0d2P5F9G6RDEp5M79An+IQCgnwSN
9Bp3RVHR6nGd6vsx4WmdweM=
=9ZRW
-----END PGP SIGNATURE-----