COMMAND

	vBulletin XSS

SYSTEMS AFFECTED

	Jelsoft vBulletin 2.2.0 - 2.2.8.

PROBLEM

	Sp.IC [SpeedICNet@Hotmail.Com] says :
	

	In global.php there is a variable [$scriptpath], the value of it is  the
	referred URL that the client came from. Move on to  admin/functions.php,
	in show_nopermission function the $scriptpath  is  called  as  a  global
	variable.  The  content  of   the   variable   gets   printed   in   the
	error_nopermission_loggedin template without  filtering  it.  So  if  we
	pass some tags and script codes in the URL and refresh the page it  will
	be printed in the no permission  template.  The  same  thing  with  $url
	variable which print its contents in many templates.
	

	+ Exploit:
	

	Note: Tested on Microsoft Internet Explorer 6.0 and vBulletin.com:
	

	    - Go to usercp.php?s=[Session ID]"><Script>alert(document.cookie);</Script> 

	      [You can use it wherever error_nopermission_loggedin get printed].

	    - A pop-up window will appear and you'll receive an error message.

	    - Then log in.

	    - Go back to the previous pages where you left the login form.

	    - Then the pop-up window will appear again containing the User ID and Password Hash.

	

	The same thing with $url templates.

SOLUTION

	Upgrade to vBulletin 3.0.