what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

vBulletin 4.0.8 Cross Site Scripting

vBulletin 4.0.8 Cross Site Scripting
Posted Nov 16, 2010
Authored by MaXe

vBulletin version 4.0.8 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 532b77cbe0f670822b9ca72b962634967c91c6ebf944208f42852cd4e2b6da83

vBulletin 4.0.8 Cross Site Scripting

Change Mirror Download
vBulletin - Persistent Cross Site Scripting via Profile Customization


Versions Affected: 4.0.8 (3.8.* is not vulnerable.)

Info:
Content publishing, search, security, and more— vBulletin has it all.
Whether it’s available features, support, or ease-of-use, vBulletin offers
the most for your money. Learn more about what makes vBulletin the
choice for people who are serious about creating thriving online communities.

External Links:
http://www.vbulletin.com

Credits: MaXe (@InterN0T)


-:: The Advisory ::-
vBulletin is prone to a Persistent Cross Site Scripting vulnerability within the
Profile Customization feature. If this feature is not enabled the vulnerability
does not exist and the installation of vBulletin is thereby secure.

Within the profile customization fields, it is possible to enter colour codes,
rgb codes and even images. The image url() function does not sanitize user
input in a sufficient way causing vBulletin to be vulnerable to XSS attacks.

[1] Private Reflected XSS:
An attacker can inject scripts in a simple way, which is only visible to the attacker.

Proof of Concept:
url(</script><img src="x:x" onerror="alert(String.fromCharCode(73,110,116,101,114,78,48,84,11))" />)
(This is only visible to the attacker when he or she is logged in, and browsing his or her own profile.)

[2] Global Reflected XSS:
An attacker can inject malicious CSS data executing javascript, which is then visible
to anyone browsing the user profile. Even guests visiting the malicious user profile.

Proof of Concept: (IE6 only, may not work in IE7+ and FF)
url(/);background:url(javascript:document.write(1337))
url(/);width:expression(alert('www.intern0t.net'))


Please note that some of these strings may be too long to be injected. However a
blog entry at Exploit-DB and a video on YouTube will be released very soon.


-:: Solution ::-
Turn off profile customization immediately for users able to customize their profile!
When a security patch has been provided by the vendor, enable this feature again.


Disclosure Information:
- Vulnerability found and researched: 11th November 2010
- Vendor (vBulletin Solutions / IB) contacted: 11th November
- Disclosed to Exploit-DB, Bugtraq and InterN0T: 14th November

References:
http://forum.intern0t.net/intern0t-advisories/3349-vbulletin-4-0-8-persistent-xss-profile-customization.html
http://www.vbulletin.com/forum/showthread.php?366834-vbulletin-4-profile-customization-exploit
http://blip.tv/file/4381880
http://www.youtube.com/watch?v=LOcLFVAqgOU
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close