SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   vBulletin Vendors:   Jelsoft Enterprises
vBulletin Input Validation Flaws in 'newreply.php' and 'newthread.php' Let Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1010577
SecurityTracker URL:  http://securitytracker.com/id/1010577
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 25 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 3.0.1
Description:   An input validation vulnerability was reported in vBulletin. A remote user can conduct cross-site scripting attacks.

Cheng Peng Su reported that the 'newreply.php' and 'newthread.php' scripts do not properly filter HTML code from user-supplied input in the Edit panel. A remote user can send a specially crafted message that, when edited by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the vBulletin software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The vendor has reportedly been notified.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the vBulletin software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.vbulletin.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  vBulletin HTML Injection Vuln





 Advisory Name : vBulletin HTML Injection Vulnerability
  Release Date : June 24,2004 
   Application : vBulletin
       Test On : 3.0.1 or others?
        Vendor : Jelsoft(http://www.vbulletin.com/)
      Discover : Cheng Peng Su(apple_soup_at_msn.com)
     
Intro:
     From vendor's website ,it says that ,vBulletin is a powerful, scalable and 
 fully customizable forums package for your web site. It has been written using
 the Web's quickest-growing scripting language; PHP, and is complimented with a
 highly efficient and ultra fast back-end database engine built using MySQL.

Proof of concept:
     While a user is previewing the post , both newreply.php and newthread.php 
 do sanitize the input in 'Preview',but not Edit-panel,malicious code can be 
 injected thru this flaw.
 
Exploit:
     A page as below can lead visitor to a Preview page which contains XSS code.
    
   -------------------------Remote.html-------------------------
   <form action="http://host/newreply.php" name="vbform" 
   method="post" style='visibility:hidden'>
   <input name="WYSIWYG_HTML" 
   value="&lt;IMG src=&quot;javascript:alert(document.cookie)&quot;&gt;"/>
		<input name="do" value="postreply"/>
		<input name="t" value="123456" />
		<input name="p" value="123456" />
		<input type="submit" class="button" name="preview"/>
   </form>
   &lt;script&gt;
     document.all.preview.click();
   &lt;/script&gt;
   -----------------------------End-----------------------------
   

Solution:
     vBulletin Team will release a patch or a fixed version as soon as possible.

Contact:
  Cheng Peng Su
  apple_soup_at_msn.com
  Class 1,Senior 2,High school attached to Wuhan University
  Wuhan,Hubei,China

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC