by r0t,der4444,cembo,VietMafia

Saturday, November 26, 2005

VBulletin 3.5.1 XSS vuln.


VBulletin 3.5.1 XSS vuln.

Vuln. dicovered by : r0t
Date: 26 nov. 2005
Vendor:http://www.vbulletin.com/
affected version:3.5.1 and prior

Vuln. Description:

vBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the remote avatar URL upon submission to the profile.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Manual Testing Notes:
Specify the following in the remote avatar url field, in the editavatar page:
http://www.parsing:error[XSS].com/.jpg


Solution:
Edit the source code to ensure that input is properly sanitised.

Disclosure timeline:

15 nov. contacted vendor.
Till today there is no fixes from vendor.

8 Comments:

Anonymous Anonymous told...

display_errors is off by default with PHP and should remain Off in a production environment. This is more an error on the part of the System Admin than vBulletin.

12:27 PM

 
Anonymous hyip told...

Hi Blogger, Out surfing for information on dxgold & happened upon your site. While VBulletin 3.5.1 XSS vuln. wasn't exactly spot on, it did strike a note with me. Thank you for the really good read.

3:15 AM

 
Anonymous dxinone told...

Hi Blogger, Out surfing for information on hyip & happened upon your site. While VBulletin 3.5.1 XSS vuln. wasn't exactly spot on, it did strike a note with me. Thank you for the really good read.

6:48 AM

 
Blogger Kim told...

We were looking for an interesting source like yours.

We have a article distribution source site full of article distribution info.

5:37 AM

 
Blogger My VoIp Solutions told...

Hi Thanks for your interesting blog. I also have a blog/site, covering flyfone voip related stuff. Feel free to visit my flyfone voip site.

4:53 AM

 
Blogger faith told...

Hi ##NAME##, while looking for info on sports arbitrage, I saw your blog ##TITLE## and congrats. It's exciting stuff, like the new Sports Arbitrage Software with its five way to make guaranteed winnings. Sports arbitrage, as some may not know, is simply betting on both sides of a sports event - and with this software you should double a same amount bet every 20 days. So, In 12 months a $100 bet wins $1825, and $1,000 wins $18,250. That's a 152% return a month! You don't have to buy our software program for arbitrage unless you think you want the most successful system, and like done in only 15 minutes a day. And, unlike a HYIP offer - YOU CAN'T LOSE! Better check this money making ##LINK## for 2006 and be ready start the new year happy and profitable. Get a special deal for affiliates. And good blogging in 2006!

1:11 AM

 
Anonymous mortgage rate told...

thought-provoking, mootable pv. just my thoughts, well anyways gl & be chipper is what i say

1:57 AM

 
Anonymous Free Ecurrency DXInOne DXGold Training System told...

Hey what's up, just letting you know that someone from C.A. read your blog!

Regards,
Charles
Free Ecurrency DXInOne DXGold Training System

3:19 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew