Bugtraq mailing list archives
vBulletin3.0.12&3.5.3~is_valid_email()~XSS Attack
From: addmimistrator () gmail com
Date: 2 Mar 2006 10:06:35 -0000
Summary Software: vBulletin Sowtwares Web Site: http://www.vBulletin.com Versions: 3.0.12-3.5.3 Class: Remote Status: Unpatched Exploit: Available Solution: Available Discovered by: imei addmimistrator Risk Level: Mediume -Description- There is a security bug in most powerfull & common forum software vBulletin version 3.0.12&3.5.3 that allows attacker performe a XSS attack. bug is in result of unsentizing quotation and < & > characters for email field of users information. a weak regular expression for validation email that allows insertiong unvalid characters in domain-name section of email is source of this bug and also forgot to htmlspeacialcharing output value in sendmsg.php file, helps exploiting this bug. a successfull attack can result to thefthing cookies, hijacking pages and etc -Conditions- AdminSetting Should meeted these settings: Enable Email features=Yes Allow Users to Email Other Members=Yes Use Secure Email Sending=No forum/admins/options.php?do=options&dogroup=email It sounds that conditions are defaultly OK; -Exploit- Scenario: /forum/profile.php?do=editpassword pass:your pass email: imei () myimei com><script>alert(1)</script>.nomatt Note About lenght limitation **** forum/profile.php?do=editoptions Receive Email from Other Members=yes **** forum/sendmessage.php?do=mailmember&u={your id} -Solution- Upgrade to vendore provided patch. -Credit- Discovered by: imei addmimistrator addmimistrator(4}gmail(O}com
Current thread:
- vBulletin3.0.12&3.5.3~is_valid_email()~XSS Attack addmimistrator (Mar 02)