TUCoPS :: Web BBS :: Frequently Exploited :: bbs5764.htm

vBulletin XSS Exploit
18th Oct 2002 [SBWID-5764]

	vBulletin XSS


	Jelsoft vBulletin 2.2.0 - 2.2.8.


	Sp.IC [SpeedICNet@Hotmail.Com] says :

	In global.php there is a variable [$scriptpath], the value of it is  the
	referred URL that the client came from. Move on to  admin/functions.php,
	in show_nopermission function the $scriptpath  is  called  as  a  global
	variable.  The  content  of   the   variable   gets   printed   in   the
	error_nopermission_loggedin template without  filtering  it.  So  if  we
	pass some tags and script codes in the URL and refresh the page it  will
	be printed in the no permission  template.  The  same  thing  with  $url
	variable which print its contents in many templates.

	+ Exploit:

	Note: Tested on Microsoft Internet Explorer 6.0 and vBulletin.com:

	    - Go to usercp.php?s=[Session ID]"><Script>alert(document.cookie);</Script> 

	      [You can use it wherever error_nopermission_loggedin get printed].

	    - A pop-up window will appear and you'll receive an error message.

	    - Then log in.

	    - Go back to the previous pages where you left the login form.

	    - Then the pop-up window will appear again containing the User ID and Password Hash.


	The same thing with $url templates.


	Upgrade to vBulletin 3.0.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH