كل ما يختص بالثغرات وإستغلال المواقع والمنتديات


    vBulletin 4.0.8 PL1 - XSS Filter Bypass within Profile

    شاطر
    avatar
    Saud! Sn!per
    مؤسس الموقع
    مؤسس الموقع

    المساهمات : 2
    تاريخ التسجيل : 24/05/2011
    العمر : 32
    الموقع : في ارض الله الواسعة

    vBulletin 4.0.8 PL1 - XSS Filter Bypass within Profile

    مُساهمة من طرف Saud! Sn!per في الثلاثاء مايو 24, 2011 2:30 am

    # Exploit Title: vBulletin 4.0.8 PL1 - XSS Filter Bypass within Profile
    Customization
    # Google Dork: "Powered by vBulletin Version 4.0.8" -"vBulletin.com is
    now powered by"
    # Date: 20th November 2010
    # Author: MaXe
    # Software Link: Commercial software.
    # Version: 4.0.8 PL1
    # Screenshot: See attachment.
    # Tested on: Windows and Linux (Server) + IE6 (Client).


    vBulletin - XSS Filter Bypass within Profile Customization


    Versions Affected: 4.0.8 PL1 (3.8.* is not vulnerable.)

    Info:
    Content publishing, search, security, and more - vBulletin has it all.
    Whether it's available features, support, or ease-of-use, vBulletin offers
    the most for your money. Learn more about what makes vBulletin the
    choice for people who are serious about creating thriving online
    communities.

    External Links:
    http://www.vbulletin.com

    Credits: MaXe (@InterN0T)


    -:: The Advisory ::-
    vBulletin is prone to a Persistent Cross Site Scripting vulnerability
    within the
    Profile Customization feature. If this feature is not enabled the
    vulnerability
    does not exist and the installation of vBulletin is thereby secure.

    Within the profile customization fields, it is possible to enter colour
    codes,
    rgb codes and even images. The image url() function does not sanitize user
    input in a sufficient way causing vBulletin to be vulnerable to XSS attacks.

    With the previous patch for vBulletin 4.0.8 PL1, most attacks were disabled
    however it is possible to bypass this filter and inject data which is
    then executed
    effectively against though not limited to Internet Explorer 6.

    Proof of Concept:
    url(vbscript:msgbox("X/SS"))


    -:: Solution ::-
    Update vBulletin to version: 4.0.8 PL2


    Disclosure Information:
    - Vulnerability found and researched: 18th November 2010
    - Disclosed to vendor (Internet Brands): 18th November
    - Patch from Vendor available: 19th November
    - Disclosed at: InterN0T, Full Disclosure, Bugtraq and Exploit: 20th
    November


    References:
    http://forum.intern0t.net/intern0t-advisories/3398-vbulletin-4-0-8-pl1-cross-site-scripting-filter-bypass-within-profile-customization.html
    http://forum.intern0t.net/intern0t-advisories/3349-vbulletin-4-0-8-persistent-cross-site-scripting-via-profile-customization.html



    Source site
    http://www.exploit-db.com/exploits/15590/


      الوقت/التاريخ الآن هو الإثنين ديسمبر 17, 2018 10:27 pm