::Vulnerabilites:
There are two vulnerabilities(there more XSRF, but the principle is the same)
1) Update User Profile XSRF (don't ask for current password)
2) Create an admin XSRF
Versions Affected: 3.8.4 / 3.7.6 / 3.6.12
Patches Available: 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1
Info: An XSS flaw within the user profile page has recently been discovered.
This could allow an attacker to carry out an action as a user or obtain
access to a user's account. To resolve this issue, it has been necessary to
release a patch level version of the active versions of vBulletin.
The upgrade process is the same as previous patch level releases - simply
----------------------------------------
C] chat home folder empty files creation
----------------------------------------
TinTin++ can receive files from other people in the incoming folder
which by default is the home one (~ on Unix and %USERPROFILE% in
Windows) but naturally is needed that the user accepts the file for
receiving it.
The problem is that the file specified by the sender is created before
accepting or declining it so is possible for an attacker to overwrite
return;
}
--
Exploitation / poc:
index.php?option=com_cbe&task=userProfile&user=23&ajaxdirekt=true&tabname=../../../CREDITS.php%00
will execute the CREDITS.php
Addional attack-vectors:
CBE offers a file-upload function for uploading user profile images. The
ExoPHPdesk user profile XSS / profile SQL injection
http://exoscripts.com/exohelpdesk
You can inject script code into the website area where you create profile. Cookies are in place making an XSS more than possible.
http://example.com/helpdesk/index.php?fn=profile&s=&user=admin' sql here
SQL injection in the profile area is possible if you choose a bad input.
url(</script><img src="x:x" onerror="alert(String.fromCharCode(73,110,116,101,114,78,48,84,11))" />)
(This is only visible to the attacker when he or she is logged in, and browsing his or her own profile.)
[2] Global Reflected XSS:
An attacker can inject malicious CSS data executing javascript, which is then visible
to anyone browsing the user profile. Even guests visiting the malicious user profile.
Proof of Concept: (IE6 only, may not work in IE7+ and FF)
url(/);background:url(javascript:document.write(1337))
url(/);width:expression(alert('www.intern0t.net'))
--------------
Vulnerability:
--------------
The mail and forum components are vulnerable to cross site scripting.
Script code can be embedded into the user profile.
------------
PoC/Exploit:
------------
If XSS is allowed, it could allow for Session Hijacking.
I found this bug using version 6.1 of NSSboard (the latest as of this writing), and it's likely that all earlier versions are also affected, but I didn't test them. I am using Debian Linux and lighttpd to host it.
The fix would be to make sure HTML tags are filtered regardless of BBcode being enabled, and to filter user profile input data.
If you are using this software, I would recommend having BBcode enabled even if you don't need it.
Credit: Me (Casey Fitzpatrick) aka: kcghost, kcblah
This will affect in administration pages as well as user registration
page if the role is set to be shown.
=> XSS in Profile (parameter: explanation, module: profile, url:
admin/user/profile)
The 'explanation' parameter is not properly sanitized when adding new
* single-line textfield
* multi-line textfield
