vBulletin Mods

The Official vBulletin Modifications Site
https://www.vbulletin.org/forum/showthread.php?t=296277

vB 3.8.7 PL 3 XSS Leak in Email Link to Friend?
by Smitty
18 Mar 2013 22:23

I'm not sure if this is really the right forum for this. Please move if it's not "best fit".

This in on a fully patched 3.8.7 Patch Level 3 install. It IS an old forum which is highly modified - Too many mods to list here.

Someone has figured out how to use a phrase in one of my sites and cause spam emails to be sent. It uses the "Email Link to Friend" phrase and some of its variables. I *assume* it is a cross site XSS issue but I am not sure. I know this is happening because of Bounce messages I am getting.

1. I never did have the email to friend feature enabled for any user group and my tests show the people do get the error message if they try.

2. I "emptied" the sendtofriend template so now all a person gets is a message ""Send Link To Friend" DISABLED due to potential spam issues."

3. It is (now was) obviously using some of the "$vbphrase[sendtofriend]" phrase variables, so I emptied that out and put in my own message (without any variables) with an apology. Prior to doing that it gave a link to a web site using the "$vbphrase[sendtofriend]" phrase somehow, and used a couple "real" variables in that phrase.

Now that I have completely eliminated the variables in the phrase and put in my own text (an apology and brief explanation of what I *think* is happening) the spam content they were sending doesn't show - Only the text I put in shows in the emails which are sent.

4. No emails are going to forum members. They are somehow using a mailing list.

5. Somehow they are getting the email address set in the vB adminCP > Options > Site Name / URL / Contact Details as the "Sent By" - If I change that the spam email "From" address changes with it.

6. They are able to put in their own "Subject" in the spam emails being sent.

7. I have vBulletin set up to use php to send outgoing emails.

Has anyone heard of anything like this? And/or any ideas on how it is being done, not to mention how to stop it?

What is surprising is that now that I can control the spam email contents, it seems to me they would stop, which they haven't.

Lynne 19 Mar 2013 03:08

If they were able to change your phrases, then they have access to the server and were then using a script to do what they wanted (modified vbulletin file?). I would suggest checking your server access logs and contacting your host about this.

Smitty 19 Mar 2013 05:09

They can not change any phrases. I changed the "$vbphrase[sendtofriend]" phrase which changed their spam emails, or at least the body of the emails. See 3 above. They don't have access to the box (it's a dedicated server). I can tell by looking at the ssh and sftp logs. I haven't slogged through the access logs yet to see what's happening with http.

Smitty 21 Mar 2013 10:38

As a followup, this turned out to be an xss exploit from another site (a phishing site) which I fixed. I also got the site taken offline. There were some files in my includes directory with the wrong permissions set. I recently did a migration to a new server and some of the file permissions I had set didn't carry over.

Lynne 21 Mar 2013 16:30

I'm glad you got the issue resolved!

Smitty 21 Mar 2013 17:10

Actually it ended up being sort of fun once I realized what they were doing and how to stop it. It took them about 36 hours before they realized that I changed their spam email message body. That gave me time to watch the http log file and gather info on them before I changed permissions on the files which stopped them dead in their tracks. I also got their web site taken offline by submitting my info to the hosting company whose server they were on. The hosting company was using Amazonaws, but I won't mention the host company here for obvious reasons.

The spammers were rather upset (to say the least). I had gotten the Amazonaws people involved as well as the us-cert.gov people, and they were monitoring things when who ever it was tried to DoS the site. They failed to even slow the site down for more than 10 to 20 seconds at a time. They gave up after about an hour.

Getting their site taken offline gave me a good feeling, so all ended well.

Hall of Famer 07 Sep 2013 02:46

Umm is there a way to fix the problem? I am having the second XSS attack through showthread.php page on my VB3.8 forum in 3 months, I am not sure if its the same problem as this one but it may have some connection. The problem is, my webhost will suspend my account even if this is not my fault in any way(unless its a crime to use VB software?).

Smitty 07 Sep 2013 11:03

I can't remember exactly what I did now other than what I described herein. I do remember it had something to do with file permissions which had changed when the site was migrated to another server. I wish I could tell you more.

Hall of Famer 12 Sep 2013 01:39

Thats too bad... I just received another XSS attack on showthread.php, its getting serious. *sigh*

Smitty 12 Sep 2013 01:50

showthread.php?

Exactly what is happening?

Screen shot?

joeychgo 12 Sep 2013 03:31

I always recommend forum owners hire Securi. I use them for all my sites. they monitor the sites for intrusions, and track down and repair successful malware / virus attacks on my sites. They have been fantastic for me and they monitor all my sites.

Hall of Famer 12 Sep 2013 14:22

Quote:

Originally Posted by joeychgo (Post 2445032)
I always recommend forum owners hire Securi. I use them for all my sites. they monitor the sites for intrusions, and track down and repair successful malware / virus attacks on my sites. They have been fantastic for me and they monitor all my sites.

Well I ran two free scans on my forum and the showthread.php page, it says theres no security threat. *sigh* You sure this is correct?

Smitty 12 Sep 2013 14:48

This is something only a vB *expert* can deal with. I also have a person dedicated to security on my dedicated servers, but he isn't a vB pro. I fixed my problem but with no help from him. That said my servers are secure and I do not expect him to deal with vB issues.

Other than that, not much I can say other than:

How do you know it's showthread.php?

Hall of Famer 12 Sep 2013 18:07

Quote:

Originally Posted by Smitty (Post 2445110)
This is something only a vB *expert* can deal with. I also have a person dedicated to security on my dedicated servers, but he isn't a vB pro. I fixed my problem but with no help from him. That said my servers are secure and I do not expect him to deal with vB issues.

Other than that, not much I can say other than:

How do you know it's showthread.php?

'cause the host was able to trace the activity of the hacker, and showthread.php was where he/she accessed to send spammails.

Smitty 12 Sep 2013 19:11

Ah. Well, it looks like only you and I have run into what ever it was/is. I haven't seen it mentioned anywhere by anyone else. I feel for you. I wish I could help you. I do hope if you find out what it is and how they're doing it you will let me and others know.


All times are GMT. The time now is 01:31.

Powered by vBulletin® Version 3.8.14
Copyright © 2020, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.