http://www.milw0rm.com/video/author/30 Click on the "vBulletin XSS Demonstration with Session Hijacking" and watch.... I was so shocked at what happened, my mouth stayed open for the duration of the video. The way that he edited the cookie info like that, stunned me. He could access unlimited information with what he is doing. Vbulletin isnt safe..... Please comment if i am wrong! Dont reply until you have watched the video. Rob
although it is kind of funny how all the links in your sig are either suspended or restricted...heh I'll happily continue using vbulletin, thanks though
I can't claim to fully understand XSS and the entirety of what he did when he edited those cookies, but I'm in awe of the results. Can someone with more programming experience give a better play by play then he offered in the text file?
Basically he used a javascript and php file to edit a text file to contain the information, he copys the MD5 hash into the cookie information which therefore gains him access to any account which he has information to in his txt file. He also used it to uproot a forum and change it to redirect to the vbulletin manual, didnt quite understand that bit. But basically, it is a security risk. ROb
vbulletin team recently fixed a major XSS exploit, wouldn't be surprised if this is the one that they fixed.
actually this was fixed a long time ago. The date on the video is june.... Its not so much against vb as it is against there website. Nothing really that impressive...
Oh well.. At least vbulletin fixed the issues, unlike microsoft.. Vbulletin rocks compared to microsoft, lol. ROb
the bigest security hole if ever seen in vb was a remote inclusion in there impex import script. course your not supposed to leave that around anyway.
However, this is a good reminder about the requirement to test software thoroughly before selling it.
You need to sell and create it publically to find the bug in the first place. Because if they just release the software to the private people, they wouldnt know how secure it is. They can only find out when they release it. Rob
Usualy the vbulletin guys fix new exploits and bugs pretty soon, so I would not worry to much, if you are using the latest version.
one thing a lot of people are missing is the nature of how vbulletin is built and how md5s work. vbulletin's database does not store your password in plain text (once upon a time they actually did). what is stored is an md5 of your password with a salt. what that means, essentially, is that if someone gets your cookie, all they have access to is your account... on that site. it won't work for other sites because the salted md5 will be different. beyond this, you can't log into the admin control panel with a hash-- you need the actual password. that's why it prompts you for a password even if you're logged in, it's a security feature. yes, some exploits are scary... but with the way vbulletin is built, as long as you make backups regularly, no serious harm would've been done anyway.