Article

“vBSecurity” by DragonByte 

A self-XSS attack in the “vBSecurity” by DragonByte plugin allows an attacker to inject JavaScript or HTML in the website. By submitting an edited HTTP request with HTML or JavaScript as the user-agent value, an attacker can store malicious code in the management panel of “vBSecurity”. When viewing the panel the code is executed and could perform actions on behalf of the user. The vulnerability was reported as CVE-2018-12580.

Background

We discovered a security issue in „vBSecurity” by DragonByte. It is possible to inject JavaScript code into the website due to a lack of sufficient input filtering. “vBSecurity” allows users to view their active sessions and values such as date, time, last activity and user-agent in a management panel. The user-agent value is not filtered and therefore susceptible to a reflected-XSS attack. Malicious code in the user-agent field is executed whenever the management panel is visible. Due to the only person able to view the management panel being the user itself, the issue is considered a self-XSS attack vector.

 

 

Steps to Reproduce

An attacker has to login by sending a forged or edited HTTP request to the vulnerable target. In this request, the user-agent value is populated with malicious code.
The following pictures show how we were able to exploit the vulnerability.
 

Root Cause

This issue exists due to insufficient input filtering. In order to mitigate the issue we recommend applying input filtering to all request headers and not reflecting any output without sanitizing it.

 

Fix

The issue was fixed in release v3.3.0.

 

Credit

Credit for finding and reporting the issue: 

Laurent Vetter