Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:10882
HistoryJan 03, 2006 - 12:00 a.m.

[KAPDA::#19] - Html Injection in vBulletin 3.5.2

2006-01-0300:00:00
vulners.com
10

KAPDA New advisory

Vendor: http://www.vbulletin.com
Vulnerable Version: 3.5.2 (prior versions also may be
affected)
Bug: Html Injection (Second order cross site
scripting)
Exploitation: Remote with browser

Description:

vBulletin is a powerful, scalable and fully
customizable forums package. It has been written using
the Web's quickest-growing scripting language; PHP,
and is complemented with a highly efficient and ultra
fast back-end database engine built using MySQL.

Vulnerability:

Html Injection :
The software does not properly filter HTML tags in the
title of events before being passed to user in
'calendar.php'&'reminder.php AS include'. that may
allow a remote user to inject HTML/javascript codes to
events of calendar. The hostile code may be rendered
in the web browser of the victim user who will Request
Reminder for those Events (persistent).
For example an attacker creates new event (Single-All
Day Event , Ranged Event OR Recurring Event)with this
content:

TITLE:--------->Test<script>alert(document.cookie)</script>
BODY:---------->No matter
OTHER OPTIONS:->No matter

The hostile code will be rendered in the web browser
of the victim user who will Request Reminder for this
Event via
http://example.com/vbulletin/calendar.php?do=addreminder&amp;e=[eventid]
The hostile code will originate from the site running
the Vbulletin software and will run in the security
context of that site. As a result, the code will be
able to access the target user's cookies (including
authentication cookies),or take actions on the site
acting as the target user.

Demonstration XSS URL:

http://example.com/vbulletin/calendar.php?do=addreminder&amp;e=[eventid]

Solution:

There is no vendor supplied patch for this issue at
this time.

More Details:

http://kapda.ir/advisory-177.html
http://irannetjob.com/content/view/184/28/

Credit :

Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]

Moon-Tzu the sister of Sun-Tzu:"Wish you a good year
and joyful one. HAPPY NEW YEAR" ;)


Yahoo! for Good - Make a difference this year.
http://brand.yahoo.com/cybergivingweek2005/