CVE-2013-2021 - vBulletin 5.x/4.x - persistent XSS in AdminCP/ApiLog via
xmlrpc API (post-auth)
==============================
====================
Overview
- --------
date : 10/12/2014
cvss : 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) base
cwe : 79
vendor : vBulletin Solutions
product : vBulletin 4
versions affected : latest 4.x and 5.x (to date); verified <= 4.2.2 ;
<= 5.0.x
* vBulletin 5.0.5 (verified)
* vBulletin 4.2.2 (verified)
* vBulletin 4.2.1 (verified)
* vBulletin 4.2.0 PL2 (verified)
exploitability :
* remotely exploitable
* requires authentication (apikey)
* requires non-default features to be enabled (API interface,
API-Logging)
* requires user interaction to trigger exploit (admincp - admin
views logs)
patch availability (to date) : None
Abstract
- ---------
vBulletin 4/5 does not properly sanitize client provided xmlrpc
attributes (e.g. client name)
allowing the remote xmlrpc client to inject code into the xmlrpc API
logging page.
Code is executed once an admin visits the API log page and clicks on the
API clients name.
risk: rather low - due to the fact that you the api key is required
you can probably use CVE-2014-2023 to obtain the api key
Details
- --------
vulnerable component:
./admincp/apilog.php?do=
apilog.php does not sanitize xmlrpc client provided data before passing
it to
print_label_row to generate the output page.
Proof of Concept (PoC)
- ----------------------
see https://github.com/tintinweb/
1) prerequesites
1.1) enable API, generate API-key
logon to AdminCP
goto "vBulletin API"->"API-Key" and enable the API interface,
generate key
goto "vBulletin API"->"API-Log" and enable all API logging
2) run PoC
edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)
run PoC, wait for SUCCESS! message
3) trigger exploit
logon to AdminCP
goto "vBulletin API"->"API-Log" and hit "view"
in search results click on "client name"
the injected msgbox pops up
Timeline
- --------
2014-01-14: initial vendor contact - no reply
2014-01-24: vendor contact - no reply
2014-10-13: public disclosure
Contact
- --------
tintinweb - https://github.com/tintinweb/
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
xmlrpc API (post-auth)
==============================
====================
Overview
- --------
date : 10/12/2014
cvss : 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) base
cwe : 79
vendor : vBulletin Solutions
product : vBulletin 4
versions affected : latest 4.x and 5.x (to date); verified <= 4.2.2 ;
<= 5.0.x
* vBulletin 5.0.5 (verified)
* vBulletin 4.2.2 (verified)
* vBulletin 4.2.1 (verified)
* vBulletin 4.2.0 PL2 (verified)
exploitability :
* remotely exploitable
* requires authentication (apikey)
* requires non-default features to be enabled (API interface,
API-Logging)
* requires user interaction to trigger exploit (admincp - admin
views logs)
patch availability (to date) : None
Abstract
- ---------
vBulletin 4/5 does not properly sanitize client provided xmlrpc
attributes (e.g. client name)
allowing the remote xmlrpc client to inject code into the xmlrpc API
logging page.
Code is executed once an admin visits the API log page and clicks on the
API clients name.
risk: rather low - due to the fact that you the api key is required
you can probably use CVE-2014-2023 to obtain the api key
Details
- --------
vulnerable component:
./admincp/apilog.php?do=
apilog.php does not sanitize xmlrpc client provided data before passing
it to
print_label_row to generate the output page.
Proof of Concept (PoC)
- ----------------------
see https://github.com/tintinweb/
1) prerequesites
1.1) enable API, generate API-key
logon to AdminCP
goto "vBulletin API"->"API-Key" and enable the API interface,
generate key
goto "vBulletin API"->"API-Log" and enable all API logging
2) run PoC
edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)
run PoC, wait for SUCCESS! message
3) trigger exploit
logon to AdminCP
goto "vBulletin API"->"API-Log" and hit "view"
in search results click on "client name"
the injected msgbox pops up
Timeline
- --------
2014-01-14: initial vendor contact - no reply
2014-01-24: vendor contact - no reply
2014-10-13: public disclosure
Contact
- --------
tintinweb - https://github.com/tintinweb/
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information