BugTraq
vBulletin3.0.12&3.5.3~is_valid_email()~XSS Attack Mar 02 2006 10:06AM
addmimistrator gmail com
???Summary???
Software: vBulletin
Sowtware?s Web Site: http://www.vBulletin.com
Versions: 3.0.12-3.5.3
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Available
Discovered by: imei addmimistrator
Risk Level: Mediume
??-Description??-
There is a security bug in most powerfull & common forum software vBulletin version 3.0.12&3.5.3 that allows attacker performe a XSS attack. bug is in result of unsentizing quotation and < & > characters for ?email? field of users? information. a weak regular expression for validation email that allows insertiong unvalid characters in domain-name section of email is source of this bug and also forgot to htmlspeacialcharing output value in sendmsg.php file, helps exploiting this bug. a successfull attack can result to thefthing cookies, hijacking pages and etc?
??-Conditions??-
AdminSetting Should meeted these settings:
Enable Email features=Yes
Allow Users to Email Other Members=Yes
Use Secure Email Sending=No
forum/admins/options.php?do=options&dogroup=email
It sounds that conditions are defaultly OK;
??-Exploit??-
Scenario:
/forum/profile.php?do=editpassword
pass:your pass
email: imei (at) myimei (dot) com [email concealed]?><script>alert(1)</script>.nomatt
Note About lenght limitation
****
forum/profile.php?do=editoptions
Receive Email from Other Members=yes
****
forum/sendmessage.php?do=mailmember&u={your id}
??-Solution??-
Upgrade to vendore provided patch.
??-Credit??-
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus