Re: XSS with Vbulletin (new idea !)
- From: marco.van.herwaarden@xxxxxxxxxxxxx
- Date: 1 Jan 2007 21:08:25 -0000
Standard vBulletin will not allow for inline display of any unsafe attachment type. This includes .SWF. If inline viewing of a potential unsafe attachment type is allowed, then this is either done by a modification or by a custom BB-code.
If the attachment can only be downloaded (like with default vBulletin), then it can never execute any code inside the webserver scope.
Conclusion: There is no vulnerability in vBulletin and this is a bogus report.
- Prev by Date: Re: Re: Mozilla Firefox 2.0 denial of service vulnerability
- Next by Date: RE: PHP as a secure language? PHP worms? [was: Re: new linux malware]
- Previous by thread: Mozilla Firefox 2.0 denial of service vulnerability
- Next by thread: Dailymotion password reset vulnerability