vBulletin 3.5.2 Html_Injection - hacking collection

Members Login

Post Info

TOPIC: vBulletin 3.5.2 Html_Injection

so9or

ÓÑíå ÓÝíÇä Èä ÚæÝ ÇáÛÇãÏí ááÌåÇÏ ÇáßÊÑæäí

Status: Offline

Posts: 632

Date: Wed Oct 4 00:11:29 2006

vBulletin 3.5.2 Html_Injection	Permalink

ÇáÓáÇã Úáíßã æÑÍãÉ Çááå æÕáÊäí Çáíæã ËÛÑå ÌÏíÏå Ýí åÐÇ ÇáÇÕÏÇÑ vBulletin 3.5.2 ÊÇÑíÎ äÒæá ÇáËÛÑå 2006-01-01 æÍÈíÊ ÇäÞáåÇ áßã äæÚ ÇáËÛÑå Html_Injection æåÐí Ýí ÇáÇÕÏÇÑ vBulletin 3.5.2 æÇáÇÕÏÇÑ vBulletin 3.5.1 ÇáÇÓÊËãÇÑ http://www.xxx.com/vb/calendar.php?do=addreminder&e=[eventid] eventid åÐÇ ÑÞã ÇáÍÏË æáã ÇÌÏ áåÇ ÊÑÞíÚ æÇáÍá ÇáÍÇáí åæ ÇÛáÇÞ ÇáÊÞæíã KAPDA New advisory Vulnerable Version: 3.5.2 (prior versions also may be affected) Bug: Html_Injection (Second order Cross_Site_Scripting) Exploitation: Remote with browser Description: -------------------- vBulletin is a powerful, scalable and fully customizable forums package. It has been written using the Web's quickest-growing scripting language; PHP, and is complemented with a highly efficient and ultra fast back-end database engine built using MySQL. Vulnerability: -------------------- Html_Injection : The software does not properly filter HTML tags in the title of events before being passed to user in 'calendar.php'&'reminder.php AS include'. that may allow a remote user to inject HTML/javascript codes to events of calendar. The hostile code may be rendered in the web browser of the victim user who will Request Reminder for those Events (persistent). For example an attacker creates new event (Single-All Day Event , Ranged Event OR Recurring Event)with this content: TITLE:--------->Test<script>alert(******.**)</script> BODY:---------->No matter OTHER OPTIONS:->No matter The hostile code will be rendered in the web browser of the victim user who will Request Reminder for this Event via http://example.com/vbulletin/calenda...addreminder&e=[eventid] The hostile code will originate from the site running the Vbulletin software and will run in the security con of that site. As a result, the code will be able to access the target user's **s (including authentication ****s),or take actions on the site acting as the target user. Demonstration XSS URL: -------------------- http://example.com/vbulletin/calendar.php?do=addreminder&e=[eventid] Solution: -------------------- There is no vendor supplied patch for this issue at this time. Credit : -------------------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://www.KAPDA.ir] Moon-Tzu the sister of Sun-Tzu:"Wish you a good year and joyful one. HAPPY NEW YEAR" ------- By trueend5 On 1 Jan 2006 ÇáãÕÏÑ http://kapda.ir/advisory-177.html ÊÞÈáæ ÊÍíÇÊí __________________

Page 1 of 1 sorted by

Add/remove tags to this thread

Tweet this page

Post to Digg

Post to Del.icio.us

Create your own FREE Forum
Report Abuse