Re: XSS with Vbulletin (new idea !)

[marco.van.herwaarden () vbulletin com]

Standard vBulletin will not allow for inline display of any unsafe attachment type. This includes .SWF. If inline 
viewing of a potential unsafe attachment type is allowed, then this is either done by a modification or by a custom 
BB-code.

If the attachment can only be downloaded (like with default vBulletin), then it can never execute any code inside the 
webserver scope.

Conclusion: There is no vulnerability in vBulletin and this is a bogus report.