Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Bugtraq: Bugtraq

Re: New Include Redirect Bug XSS All vBulletin(r) v 3.x.x

  

 
Bugtraq bugtraq RSS feed   Index | Next | Previous | View Threaded


coley at mitre

Jun 21, 2007, 1:21 PM

Post #1 of 2 (408 views)
Permalink
Re: New Include Redirect Bug XSS All vBulletin(r) v 3.x.x
Scott MacVicar said:

>There is a much more significant issue than executing an XSS if you
>can upload a file to a remote site...

XSS could be put into an image that's allowed to be uploaded, then
directory traversal could be used to reference that image. The image
data could be very small and made to look like it's conformant.

XSS could be put into log files (such as the web server log files)
simply by including it in an arbitrary request, then directory
traversal can be used to reference that log file.

Both of these techniques are commonly used in PHP exploits. There are
probably others.

Then there's the whole possibility of using directory traversal to
reference completely unexpected code, which could prevent important
variables from being set, but people haven't researched that technique
very much.

In short - you don't need to create a file, you merely need to
influence its contents.

- Steve


scott-REMOVE- at vbulletin

Jun 22, 2007, 3:30 AM

Post #2 of 2 (353 views)
Permalink
Re: Re: New Include Redirect Bug XSS All vBulletin(r) v 3.x.x [In reply to]
I fully understand the significance of XSS and the numerous different ways to get it on the server but this focuses directly on the ability to place a web viewable document on the same domain which vBulletin doesn't provide itself.

What the author of this exploit has described is a way to influence a user to visit a link to a crafted page already present on the domain, it isn't traversing out of the directory, its only changing the value of a src or an href parameter.

Short of removing the ability for users to provide links there isn't a way to fix this, and even if we did they could just put the link on anyway and have someone copy and paste.

In my eyes it isn't even an exploit at all, if you can create unsanitised content that is web viewable then there is a more significant problem that needs resolved and it out of our scope to fix.

Scott MacVicar

Bugtraq bugtraq RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.