vBulletin 3.X/4.X CSRF IMG-Tag Exploit

[php]

===============================================================
vBulletin 3.X/4.X CSRF IMG-Tag Exploit
===============================================================

___________ .__ .__ _______
\_ _____/ ____ | |__ ____ | | \ _ \ ____
| __)__/ ___\| | \_/ __ \| | / /_\ \ / \
| \ \___| Y \ ___/| |_\ \_/ \ | \
/_______ /\___ >___| /\___ >____/\_____ /___| /
\/ \/ \/ \/ \/ \/

# Exploit Title: vBulletin 3.X/4.X CSRF IMG-Tag Exploit
# Date: 28/04/2011
# Author: Cyber Tjak
# Software Link: http://www.vBulletin.org
# Version: 3.X & 4.X
# Google Dork 1: Powered by vBulletin 3.X
# Google Dork 2: Powered by vBulletin 4.X
# Platform / Tested on: Multiple
# Category: Webapplications
# Code : N/A

# BUG : ######################################################################

1 > Go to something were you want to include it e.g. /profile.php?do=editsignature
The IMG-Tag must be allowed there.

2 > Post a new post with these content ===> [IMG]Your Script[/IMG]

3 > You can use it with a plugin like iTrader http://[localhost]/board/itrader_fee…RID&parseurl=1
Furthermore you can use it with external scripts like an ip-logging script.
Just like a normal CSRF-Vuln. =)

4 > Now you see that your script is working.

# FIX by P4INW4R : ###########################################################

You must create a whitelist for trustworthy imagehosters.

1 > Open ./includes/class_bbcode.php

2 > Search for:

function handle_bbcode_img_match($link)
{
$link = $this->strip_smilies(str_replace(‚\\"‘, ‚"‘, $link));

// remove double spaces — fixes issues with wordwrap
$link = str_replace(array(‚ ‚, ‚"‘), “, $link);

return ‚<img src="‘ . $link . ‚" border="0" alt="" />‘;
}

3 > Replace with:

function handle_bbcode_img_match($link)
{
$link = $this->strip_smilies(str_replace(‚\\"‘, ‚"‘, $link));

// remove double spaces — fixes issues with wordwrap
$link = str_replace(array(‚ ‚, ‚"‘), “, $link);

//CSRF FIX
$whitelist = array("HERE YOUR IMAGEHOSTER WITHOUT HTTP:// e.g. abload.de");

$host = parse_url($link, PHP_URL_HOST);
if(substr($host, 0, 4) == "www.")
{
$host = str_replace("www.", "", $host);
}

if (in_array($host, $whitelist)) {
return ‚<img src="‘ . $link . ‚" border="0" alt="" />‘;
}
else
{
return ‚<p style="color: red;">Please upload your picture at a trusted hoster. For example abload.de</p>‘;
}
}

We know that this fix-method is suboptimal so we must wait for a better fix by vBulletin.

################################################################################

Our Website: http://www.echel0n.net

Special Thanks to: P4INW4R, Subnet, Skittles, 0x00, Santa & all other mates.

################################################################################
[/php]