vBulletin Multiple Cross Site Scripting Vulnerabilities
From: Roberto (roberto_at_XDESIGN.IT)
Date: Wed, 17 Sep 2003 18:03:55 +0100 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
SYSTEMS AFFECTED ========
Jelsoft Enterprises vBulletin Forum
(exploited with a browser)
Subject: vBulletin Multiple Cross Site Scripting Vulnerabilities
Date: 17 September 2003 (release from old archive, flaws found on 7 September 2002)
The vBulletin Forum can be forced to return malicious content in user's browser.
There are multiple CSS vulnerabilities (version 3.0 and prior).
1) The first bug affects vBulletin version 2.2.7, 2.2.6 and probably previous versions.
The "aim" parameter is not filtered, then is possible the execution of malicious code:
2) The second one is more difficult to exploit and affects only 2.2.6 (or previous).
Folder names allow execution of code. Version 2.2.7 seems to patch this flaw.
Type in a browser:
type="hidden" name="s" value=""><input type="hidden" name="highest" value="3"><input type="hidden"
name="folderlist" value="<script>alert(document.cookie)</script>"><input type="hidden" name="folderlist"
value=""><input type="hidden" name="folderlist" value=""><input type="hidden" name="action"
value="doeditfolders"><input type="submit" name="submit" value="write to me"></form>');
3) The third bug is exploited through the "membername" parameter in Quickfind form.
Tested on 2.2.6 with quickfind enabled (it's an hack).
4) CSS in Lost Password form:
5) CSS in showthread, word highlight function:
6) CSS on 2.2.9 and prior. Type this in a forum index page:
Stealing cookies which may contain critical data (personal informations,
Upgrade to new releases.
VENDOR STATUS ========
vBulletin programmers were notified on 7 September 2002.
All the flaws are already patched from the version 2.2.8 (also for the 3.0 beta).
These informations are supplied for educational purpose only.
The author is not liable for the direct or indirect use of these
informations, which can't be used in order to modify or interrupt the operations
of informatic systems.
LEGAL NOTICE ========
This advisory is Copyright (c) 2003 Roberto Dapino.
It can be reproduced without the author's written permission
only if unmodified.
Vulnerabilites found by Roberto Dapino, Italy. - firstname.lastname@example.org
Special thanks to: vBulletin Programmers.
xdesign.it - stormvision.it
---- Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ ----