|
Advisory Name : vBulletin HTML Injection Vulnerability Release Date : June 24,2004 Application : vBulletin Test On : 3.0.1 or others? Vendor : Jelsoft(http://www.vbulletin.com/) Discover : Cheng Peng Su(apple_soup_at_msn.com) Intro: From vendor's website ,it says that ,vBulletin is a powerful, scalable and fully customizable forums package for your web site. It has been written using the Web's quickest-growing scripting language; PHP, and is complimented with a highly efficient and ultra fast back-end database engine built using MySQL. Proof of concept: While a user is previewing the post , both newreply.php and newthread.php do sanitize the input in 'Preview',but not Edit-panel,malicious code can be injected thru this flaw. Exploit: A page as below can lead visitor to a Preview page which contains XSS code. -------------------------Remote.html------------------------- <script> document.all.preview.click(); </script> -----------------------------End----------------------------- Solution: vBulletin Team will release a patch or a fixed version as soon as possible. Contact: Cheng Peng Su apple_soup_at_msn.com Class 1,Senior 2,High school attached to Wuhan University Wuhan,Hubei,China