vBulletin Customizable Roster Plugin – Data Extraction & XSS

Plugin: http://www.vbulletin.org/forum/showthread.php?t=235326
Version: 4.1.0 (latest)

This plugin is prone to a data extraction vulnerability and cross site scripting. Both vulnerabilities are found in the showroster.php file.

#1 Data Extraction

The vulnerable code looks like this:

			// ###GROUPCACHE#################################################################
			if ($userinfo['userid']) {
				$t = strtoupper($userinfo[$sortgroupfield]);
				$u = strtoupper($userinfo[$sortuserfield]);
				$groupcache["$t"]["$u"] = $userinfo;
			}

As you can see, the variable $t contains the $userinfo[$sortgroupfield] value. The $sortgroupfield value is retrieved from the URL which can be changed by any user.
Later on, the script iterates through the $groupcache array and assigns the variables to the showroster template.

Now the problem here is that the $sortgroupfield variable is not sanitized or checked, and since the $userinfo variable contains all columns of the user table, we can extract any information of a certain user by changing the URL to something like:
http://example.com/showroster.php?order=asc&sortgroupfield=password or
http://example.com/showroster.php?order=asc&sortgroupfield=salt

The only downside is that the user must be shown in the roster and that you can only extract 1 column at a time.

Proof of concept:
http://example.com/showroster.php?order=asc&sortgroupfield=password will show something like this:
Roster Plugin Data Extraction

 
#2 Cross Site Scripting

The GET variable id is prone to XSS.

Proof of concept:
http://example.com/showroster.php?order=asc&sortgroupfield=field1&id="><script>alert("XSS")</script>

This will alert xss several times on the screen. Any type of HTML/JavaScript can be injected.

Leave a Reply

Your email address will not be published / Required fields are marked *