To View Indonesian Version, You can click here.
When we're hearing about vBulletin, some of us or more than 50% people says that "owh it's a secure forum application. However, when new features are included, such as Profile Customization, a new vulnerability might be born.
If you already follow some of websites that have vBulletin, maybe you can try this. In the customize profile, you can fill some color codes such as: #000, RGB codes like rgb(255, 255, 255) and even you can add your images there. You can imagine that we can changing the user profile background, to a custom image by using url(‘path/to/image.png’)…
If we try to fill in ?’ABCD”/\>< to the input area, we can see in the picture below that some characters not escaped or encoded correctly.
In this experiment, aposthrope are escaped into \' , but quotes and HTML tags are not escaped nor encoded. In this case, it will allow hacker to inject HTML or script codes. But as we know that PHP have preg_match() maybe if you put the <script> tag inside it, it will be sanitized.
It doesn't mean that you cannot fill in <script> tag it's impossible to execute some script, there's another ways to do it especially for experienced hackers. Before running the script, we can try to display an image into our vBulletin profile with the script below.
url(</script><img src="" />)
After we put the script inside the change color box,
we can see something changed in our profile like the picture below.
We've already change our profile into a big picture….
I will try to write "HellO v4L" in my user profile in vBulletin by using the code below.
url(</script><img src="x:x" onerror="alert(String.fromCharCode(72,101,108,108,79,32,118,52,76))" />)
Bear in your mind that if you still think that XSS is not dangerous you're absolutely wrong. This tutorial is not showing how to attack, but what would happen if there's some website have an XSS flaw.
Some people maybe think…."okay that's the hacker website…then…what's happen?". You can see my previous posts about Exploiting Internet Explorer v6, v7, and v8 and also my posts about Exploiting IE6 using IE_Aurora. The hacker can do some social engineering technique "Hey Guys, I Have Important Message in My Profiles..Please Check It", then everyone who viewing malicious profile will be redirected to attacker server where the server serve a browser exploit. And you may know what next is special PWNED for the user/victim…
1. When you open user profile in vBulletin forum, make sure that you are using the latest browser agent, it can minimize attack by browser exploit.