Advisory ID: SYSS-2018-017 Product: vBulletin Manufacturer: vBulletin Solutions Affected Version(s): 5.4.3 Tested Version(s): 5.4.3 Vulnerability Type: Open Redirect (CWE-601) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2018-08-09 Solution Date: 2018-09-18 Public Disclosure: 2018-10-16 CVE Reference: CVE-2018-15493 Author of Advisory: Moritz Lottermann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: vBulletin is a software to set up Internet forums. The manufacturer describes the product as "the world's leading community software" (see [1]). Due to insufficient filtering of user controlled input, vBulletin is vulnerable to an open redirect weakness. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Any value of the GET parameter 'url' is accepted as the target of a redirection. This can make phishing attacks much more credible. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following example URL demonstrates the security vulnerability: https://my-vbulletin-instance.com/auth/login-form?vb_login_redirected=1&url=aHR0cHM6Ly93d3cuc3lzcy5kZQ%3d%3d After a successful login, the user is redirected to https://www.syss.de. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade to version 5.4.4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-08-07: Vulnerability discovered 2018-08-09: Vulnerability reported to manufacturer 2018-09-16: Fix released by manufacturer 2018-10-16: Fix released by manufacturer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for vBulletin https://www.vbulletin.com/ [2] SySS Security Advisory SYSS-2018-017 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-017.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Lottermann of SySS GmbH. E-Mail: moritz.lottermann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Lottermann.asc Key ID: 0xC9E27D8CDEC05EF5 Key Fingerprint: EA86 773C 98EB CF3A 1959 D651 C9E2 7D8C DEC0 5EF5 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en