lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: 1 Jan 2007 21:08:25 -0000
From: marco.van.herwaarden@...lletin.com
To: bugtraq@...urityfocus.com
Subject: Re: XSS with Vbulletin (new idea !)

Standard vBulletin will not allow for inline display of any unsafe attachment type. This includes .SWF. If inline viewing of a potential unsafe attachment type is allowed, then this is either done by a modification or by a custom BB-code.

If the attachment can only be downloaded (like with default vBulletin), then it can never execute any code inside the webserver scope.

Conclusion: There is no vulnerability in vBulletin and this is a bogus report.

Powered by blists - more mailing lists