vBulletin Forum Software Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1003869|
SecurityTracker URL: http://securitytracker.com/id/1003869
(Links to External Site)
Date: Mar 21 2002
Disclosure of authentication information, Execution of arbitrary code via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): prior to 2.2.3|
A vulnerability was reported in the vBulletin bulletin board software. A remote user can conduct cross-site scripting attacks against other vBulletin users.|
It is reported that a remote user can inject scripting code in posts and in private messages within an IMG tag (which is apparently enabled, by default). When the target (victim) user views the message, the code will be executed on the target user's browser. The code will originate from the system running vBulletin and will run in the security context of that system. As a result, the code will be able to access the target user's cookies associated with the vBulletin site.
Some demonstration exploit code is included in the Source Message.
The vendor has reportedly released a fixed version (2.2.4). See the Vendor URL for more information.|
Vendor URL: www.vbulletin.com/ (Links to External Site)
Input validation error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: [img]-vulnerability in vBulletin Version 2.2.2 & 2.2.1 & maybe olders|
I've discovered a vulnerability in the vBulletins's [img]-Tag
that allows users to inject vbs-code in posts and private messages
([img] is switched on by default).
Through that, an attacker is able to steal other users cookies and
maybe hijack their accounts.
The following code sends the user's cookie to a php-script
(http://www.ignite.barrysworld.net/test.php?c= in this case, which
just prints it back to the browser)
It is enclosed in [code]-Tag, the url is encoded in ascii and
linebreaks are inserted to avoid filtering of some characters and
insertion of <br>-Tags
Feb 19 02: contacted Jelsoft
Feb 20 02: Vendor confirmed the bug
Feb 21 02: Jelsoft claimed to have made a patch "which clamps
down on what characters are allowed in an [img] tag,
as well as requiring it to start with http://".
Sounds good ;)
vBulletin 2.2.3 & 2.2.4 are out for some weeks, but there are still
sites using vulnerable versions, so better update!
lates, Cano2 mailto:Cano2@buhaboard.de