pub

CVE-2014-2021 - vBulletin 5.x/4.x - persistent XSS in AdminCP/ApiLog via xmlrpc API (post-auth)

Overview

date    :  10/12/2014  
cvss    :  4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) base
cwe     :  79 

vendor  : vBulletin Solutions
product : vBulletin 4
versions affected :  latest 4.x and 5.x (to date); verified <= 4.2.2  ; <= 5.0.x
		* vBulletin 5.0.5	  (verified)
		* vBulletin 4.2.2     (verified)  
		* vBulletin 4.2.1     (verified)  
		* vBulletin 4.2.0 PL2 (verified)  
			
exploitability :
		* remotely exploitable
		* requires authentication (apikey)
		* requires non-default features to be enabled (API interface, API-Logging)
		* requires user interaction to trigger exploit (admincp - admin views logs)
			
patch availability (to date) :  None

Abstract

vBulletin 4/5 does not properly sanitize client provided xmlrpc attributes (e.g. client name)
allowing the remote xmlrpc client to inject code into the xmlrpc API logging page. 
Code is executed once an admin visits the API log page and clicks on the API clients name.

risk:  rather low - due to the fact that you the api key is required
	   you can probably use CVE-2014-2023 to obtain the api key

Details

vulnerable component: 
	./admincp/apilog.php?do=viewclient
apilog.php does not sanitize xmlrpc client provided data before passing it to
print_label_row to generate the output page.

Proof of Concept (PoC)

see https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2021


1) prerequisites
1.1) enable API, generate API-key
	 logon to AdminCP
	 goto "vBulletin API"->"API-Key" and enable the API interface, generate key
	 goto "vBulletin API"->"API-Log" and enable all API logging
2) run PoC
	 edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)
	 run PoC, wait for SUCCESS! message
3) trigger exploit
     logon to AdminCP
	 goto "vBulletin API"->"API-Log" and hit "view"
	 in search results click on "client name"
	 the injected msgbox pops up

Timeline

2014-01-14: initial vendor contact - no reply
2014-01-24: vendor contact - no reply
2014-10-13: public disclosure

Contact

tintinweb - https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2021

(0x721427D8)