TUCoPS :: Web BBS :: Frequently Exploited :: b06-2903.htm

vbulletin.com Multiple XSS Vulnerabilities
vbulletin.com Multiple XSS Vulnerabilities
vbulletin.com Multiple XSS Vulnerabilities


Multiple XSS Vulnerabilities exist in vbulletin.com's website that allow the attacker to gain sensitive credentials for authentication himself as a user on the forum and site.=0D
=0D
The first problem lies in the the site's Sales Form for opening an issue ticket.  Proper sanitation of variables passed via the "Full Name" field allows a user to inject:=0D
=0D
 - it will give you a link to view your invoice and there ya go ;)=0D
=0D
This XSS allows for session theft on vbulletin.com's forums along with access to information ran under the context as a member on the website.=0D
=0D
=0D
For a live demonstration that was anonymously submitted to me by an individual who confirmed this vulnerability and strictly for informational purposes only - where this was done in a testing environment - visit:=0D
=0D
http://www.splices.org/ret/xssvid.html=0D 
=0D
Please enable sound.=0D
=0D
Discovered by:  =0D
splices=0D
www.splices.org=0D 
www.securident.com

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH