Major XSS security flaw in VBSEO !

Hi,



I created on a thread on this board a tag that contains HTML. To my surprise, I got this result:

vBulletin SEO Forums - Threads Tagged with <a href="ff">test</a>

You are including the tag in the META description and you are not calling the PHP function htmlentities (or some equivalent function) on the resulting string. The net result of this is that I can alter the HTML on the page - as you can see with your own eyes.

This is a huge XSS flaw and at a same time a BEGGINER'S mistake in programming. I advise Crawlability to take security seriously. It is not acceptable to release your product without testing at least once for HTML all the fields on which you receive data from the user.

I don't want to get to the conclusion that VBSEO represents a security threat for my board. Please test the product properly before release.



Regards,
Razvan

I forgot ... please release a patch for this, if possible, yesterday.

Originally Posted by mihai11

I don't want to get to the conclusion that VBSEO represents a security threat for my board. Please test the product properly before release.

Hi,

Does this test also work on your forum?

*edit* And, how exactly is this an XSS flaw? The HTML is altered, sure, but it's altered when you type anything in and post it. You've created a tag that contains ... nothing dangerous.

This can be pretty dangerous if some has upped the max tag length form default 25 char to something like 100,
Though not much can be done with default 25 char limit.

http://www.vbseo.com/tags/%3Cscript%...%3C/script%3E/

i can't seem to make it work with anything BUT the anchor...

looks like script tags are removed to make it not work

Default vBSEO doesnt alter meta tags or meta description within Tags.

It seems to be fixed now. From were can we take the patch ?



Regards,
Razvan

Razvan,

vBSEO doesn't alter meta description or meta tags within Tag pages. That's why there is nothing to patch within vBSEO as vBSEO script never had this security flaw. If you are concerned about duplicate meta tags problem within Tag pages you may want to apply help.. google duplicate tags description

Originally Posted by Mert Gökçeimam

Razvan,

vBSEO doesn't alter meta description or meta tags within Tag pages. That's why there is nothing to patch within vBSEO as vBSEO script never had this security flaw. If you are concerned about duplicate meta tags problem within Tag pages you may want to apply help.. google duplicate tags description

True, on my board I do not have this issue. I have another issue with HTML tags and I will open a support ticket to that. It looks like the security issue that I highlited in this thread was only manifesting itself in the VBSEO version that you have installed here - which is different than mine. You are using VBSEO 3.2.5. and I am using VBSEO 3.2.0.

About the flaw that I discovered here yesterday: the version of VBSEO that you are using is updating the KEYWORDS META tag. Currently, in the link above, the KEYWORDS META contains this:

Code:

<meta name="keywords" content="&lt;a href=&quot;ff&quot;&gt;test&lt;/a&gt;, SEO, vbulle

Yesterday's version was this:

Code:

<meta name="keywords" content="<a href="ff">test</a>, SEO, vbulletin

Yesterday's version did not transformed the special characters in HTML - like "less than", "great than" or the quotes - in their HTML entity equivalent.

Now, I understand why there is no patch: there is no patch because the problem was only with the experimental version of VBSEO that you are using (VBSEO 3.2.5) and you have silently patched that.

What I do not understand is why are denying the existence of this bug ? What you are saying here:

vBSEO as vBSEO script never had this security flaw.

is not the thuth. Maybe the bug was fixed before you got the chance to look at the page. Anyway, one thing is CERTAIN: yesterday you had a major XSS flaw in the version of VBSEO that you are using in this site (VBSEO 3.2.5).

This version did not healed itself over night. Someone from your team fixed this.

ı think there is a mis communication between us. vBSEO 3.2.0 or vBSEO 3.2.5 doesn't alter meta tags or meta keywords within tags page. In both versions the security flaw you mentioned didn't exist at all.

vBSEO code never had the security flaw you mentioned. I hope i could make this point clear.

The problem you pointed out was related to a minor style problem which was altered by us to test something. It was no major issue but thanks for pointing out that so we could correct the problem.

Originally Posted by Mert Gökçeimam

I think you are not trying to understand, vBSEO 3.2.0 or vBSEO 3.2.5 doesn't alter meta tags or meta keywords within tags page. In both versions the security flaw you mentioned didn't exist at all.

vBSEO code never had the security flaw you mentioned. I hope you'll understand this time.

The problem you think you find out was related to a minor skin problem which had only been applied to one of the styles we were using. That's all.

I suggest you quit playing this game.

VBSEO is CURRENTLY modifying the KEYWORDS META tag. All you have to do is to look at the source code of the page from here:

vBulletin SEO Forums - Threads Tagged with <a href="ff">test</a>


The full META tag is this:

Code:

<meta name="keywords" content="&lt;a href=&quot;ff&quot;&gt;test&lt;/a&gt;, SEO, vbulletin search engine optimization, search engine optimisation, search engine friendly forums, vbulletin seo" />

As you can see for yourself, the KEYWORDS description contain the tag in question.

The "minor" skin problem allowed the introduction of arbitrary HTML code in the tag pages. That is a major XSS flaw.

Originally Posted by Mert Gökçeimam

ı think there is a mis communication between us. vBSEO 3.2.0 or vBSEO 3.2.5 doesn't alter meta tags or meta keywords within tags page. In both versions the security flaw you mentioned didn't exist at all.

vBSEO code never had the security flaw you mentioned. I hope i could make this point clear.

The problem you pointed out was related to a minor style problem which was altered by us to test something. It was no major issue but thanks for pointing out that so we could correct the problem.

I see ... you've changed the tone of your answer. I will edit the my previous message to reflect this change.

Hello Razvan,

there seems to be a confusion here - vBSEO does modify meta description on the fly, but it's only being applied for limited set of pages: member, forumdisplay, showpost, showthread, blog (as you can see in functions_vbseo.php file), i.e. tags pages are not affected. That was included in version 3.2.0 and it is not changed in vBSEO3.2.5.

On the other hand, we have a modified style here on vbseo.com forum to provide custom descriptions on tags pages (as described in this thread), but that's not a vBSEO product feature (and not a feature of official "vBSEO Style" product).

Please let me know if you have further questions.