vBulletin Input Validation Flaws in 'newreply.php' and 'newthread.php' Let Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1010577|
SecurityTracker URL: http://securitytracker.com/id/1010577
(Links to External Site)
Date: Jun 25 2004
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Exploit Included: Yes |
An input validation vulnerability was reported in vBulletin. A remote user can conduct cross-site scripting attacks.|
Cheng Peng Su reported that the 'newreply.php' and 'newthread.php' scripts do not properly filter HTML code from user-supplied input in the Edit panel. A remote user can send a specially crafted message that, when edited by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the vBulletin software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor has reportedly been notified.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the vBulletin software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
No solution was available at the time of this entry.|
Vendor URL: www.vbulletin.com/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: vBulletin HTML Injection Vuln|
Advisory Name : vBulletin HTML Injection Vulnerability
Release Date : June 24,2004
Application : vBulletin
Test On : 3.0.1 or others?
Vendor : Jelsoft(http://www.vbulletin.com/)
Discover : Cheng Peng Su(apple_soup_at_msn.com)
From vendor's website ,it says that ,vBulletin is a powerful, scalable and
fully customizable forums package for your web site. It has been written using
the Web's quickest-growing scripting language; PHP, and is complimented with a
highly efficient and ultra fast back-end database engine built using MySQL.
Proof of concept:
While a user is previewing the post , both newreply.php and newthread.php
do sanitize the input in 'Preview',but not Edit-panel,malicious code can be
injected thru this flaw.
A page as below can lead visitor to a Preview page which contains XSS code.
<form action="http://host/newreply.php" name="vbform"
<input name="do" value="postreply"/>
<input name="t" value="123456" />
<input name="p" value="123456" />
<input type="submit" class="button" name="preview"/>
vBulletin Team will release a patch or a fixed version as soon as possible.
Cheng Peng Su
Class 1,Senior 2,High school attached to Wuhan University