SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Forum/Board/Portal)  >   vBulletin Vendors:   Jelsoft Enterprises
[Vendor Disuptes Claim] vBulletin register.php Input Validation Flaw Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1008780
SecurityTracker URL:  http://securitytracker.com/id/1008780
CVE Reference:   CAN-2004-0091   (Links to External Site)
Updated:  Jan 23 2004
Original Entry Date:  Jan 20 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 2.3.4 [affected version number is unconfirmed at this time]
Description:   An input validation vulnerability was reported in vBulletin in 'register.php'. A remote user can conduct cross-site scripting attacks. The vendor has disputed this claim.

GERMAN COMPUTER FREAKS reported that the software does not properly validate the contents of the 'reg_site' hidden field. A remote user can create a specially crafted web form that, when submitted by a target user, will cause arbitrary scripting code to be executed on the target user's computer. The code will originate from the site running the vBulletin software and will run in the security domain of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit example is provided in the Source Message.

The vendor was reportedly notified on January 7, 2004.

[Editor's note: The vendor disputes this vulnerability claim and indicates that there is no vulnerability. Kier Darby has stated that the product does not have a hidden field called 'reg_site' and does not have a variable named $reg_site anywhere in the vBulletin 2 or vBulletin 3 source code or templates (and has never had it). We are attempting to clarify the matter with the author of the report.]

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the vBulletin software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

[Editor's note: The vendor has stated that there is no vulnerability.]

Solution:   The report indicated that the vendor has issued a patch. However, the vendor has responded to say that there is no patch because there is no vulnerability [see the Description section for information on the vendor's statement.]
Vendor URL:  www.vbulletin.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Tue, 20 Jan 2004 10:06:08 -0800
Subject:  vBulletin Security Vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------
 GERMAN COMPUTER FREAKS - SECURITY ADVISORY - SINCE 1997
                  January 20st, 2003
- - -------------------------------------------------------

  Software      : vBulletin Bulletin Board
  Vendor        : Jelsoft Enterprises Limited / inGame GmbH
  Vulnerability : Cross Site Scripting
  Status        : Author has been notified

- - ------------------------------------------------------

- - - - Description

    vBulletin Bulletin Board derivatives contain a security bug
   that may lead to disclosure of private informations due to a
   cross site scripting attack.

    This vulnerability may enable an attacker to transmit sensitive
   informations like 'encrypted' passwords, user identification
   numbers or forum passwords to another server.

    Currently, we will refrain from publishing proof of concept
   information to mitigate the impact of this vulnerability.

- - - - Technical Details

    Due to an improper quoted field in register.php it's possible
   to inject malicious HTML code. With the use of Javascript code
   an attack is then able to send sensitive informations (like
   cookies) to a foreign server.

   Attack Example:

   <form action="http://www.VULN-BOARD.com/register.php" method="GET">
   <input type="hidden" name="reg_site"
    value="<SCRIPT><!-- EVIL CODE //--></SCRIPT>"/>
   <input type="text" name="email" value="" />
   <input type="submit" value="Show my cookies" />

- - - - Patch

    The vendor released a patch for this vulnerability.

- - - - Closing Words

  07.01.04  Contacting the board developers and explaining the vulnerability
  08.01.04  Developing a proof of concept tool (undisclosed)
  20.01.04  Disclosure of this advisory to public

- - - - Greets

     This bug was found by Darkwell. We would like to great Natok!
     He's great!

                        _________________ ___________
                       /  _____/\_   ___ \\_   _____/
                      /   \  ___/    \  \/ |    __)
                      \    \_\  \     \____|     \
                       \______  /\______  /\___  /
                              \/        \/     \/
                        The German Computer Freaks
                         www.gcf.de    Since 1997             /\
                                                             /  \
____________________________________________________________/ # /
                                                            \  /
                                                             \/

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAkANbpsACgkQcd4BvfErJcpzFQCggXQa7WHVZslM1e/3ahG333e8lrMA
oL1vBo7v3oJjMNxhzf3oINBIp8e6
=msHO
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC