lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
This website is powered by Openwall GNU/*/Linux security-enhanced OS
[<prev] [next>] [month] [year] [list] 
Date: 6 Feb 2007 20:16:26 -0000
From: DoZ@...kersCenter.com
To: bugtraq@...urityfocus.com
Subject: VBulletin AdminCP Index.PHP Multiple Cross-Site Scripting
 Vulnerability

VBulletin AdminCP Index.PHP Multiple Cross-Site Scripting Vulnerability



vBulletin is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input data.

An attacker could exploit this vulnerability to have arbitrary script code execute in the context of the affected site. This may allow an attacker to steal cookie-based authentication credentials and to launch other attacks.



Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Doz


Remote: No
Local: Yes
Class:  Input Validation Error


Vendor: http://www.vbulletin.com/
Vulnerable:: Admin Control Panel (vBulletin 3.6.4 )


Attackers can exploit these issues via a web client. 


These Fucntions on Index.php Contail XSS.

- User Group Manager
- User Rank Manager
- User Title Manager
- BB Code Manager
- Attachment Manager
- Calendar Manager
- Forums & Moderators



Pictures: http://rapidshare.com/files/15246918/vb-xss.rar.html


Security researcher? Join us: mail Zinho at zinho at hackerscenter.com

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux