vBulletin - Insecure Custom BBCode Tags=0D =0D =0D Versions Affected: 3.8.4 PL2 (Most likely all versions)=0D =0D Info:=0D Content publishing, search, security, and more=97vBulletin has it all. Whether=0D it=92s available features, support, or ease-of-use, vBulletin offers the most for=0D your money. Learn more about what makes vBulletin the choice for people=0D who are serious about creating thriving online communities.=0D =0D External Links:=0D http://www.vbulletin.com/=0D =0D =0D =0D -:: The Advisory ::-=0D =0D A vulnerability exists within vBulletin which makes an attacker able to inject=0D code such as HTML or Javascript via custom BBCode Tags IF they follow certain=0D conditions which are described below.=0D =0D Requirements:=0D - User-input must be located inside a variable in a HTML-tag.=0D - Apostrophes or nothing must be used for encapsulation.=0D =0D =0D Insecure Implementations:=0D =0D - Example 1 (src is insecure)=0D=0D =0D - Example 2 (href is insecure)=0D {param}=0D =0D =0D Exploitation of Above Implementations:=0D =0D - Example 1 (PoC)=0D [BadTag]x:x' onerror=alert(0) foo='[/BadTag]=0D =0D - Example 2 (PoC)=0D [BadTag2=fail onmouseover=alert(0)]Link[/BadTag2]=0D =0D =0D =0D -:: Solution ::-=0D =0D Sanitize BBCode with htmlentities($var, ENT_QUOTES); or htmlspecialchars($var); in the PHP files.=0D (Jelsoft should fix this, however I may provide a patch if they don't.)=0D =0D Alternatively don't use BBCode with apostrophes where user-input is inside a variable.=0D =0D Examples of "Secure Implementation":=0D