[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] VBulletin adminCP Cross Site Scripting

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] VBulletin adminCP Cross Site Scripting
From: Henri Salo <henri@xxxxxxx>
Date: Thu, 4 Aug 2011 17:18:55 +0300

On Wed, Aug 03, 2011 at 06:37:32PM +0600, HAroon . wrote:
> *Advisory Information*
> 
> Title: vBulletin Cross Site Scripting Vulnerability
> 
> Date published: 02-08-2011
> 
> Vendors contacted: vBulletin team
> 
>  
> 
> *Vulnerability Information*
> 
> Class: XSS flaw
> 
> Vulnerable page: Admin Login Page (admincp)
> 
> Remotely Exploitable: Yes
> 
> Locally Exploitable: No
> 
>  
> 
> *Vulnerability Description*
> 
> vBulletin is a community forum solution for a wide range of users,
> including industry leading companies. A XSS vulnerability has been discovered
> that could allow an attacker to carry out an action impersonating a legal 
> user,
> or to obtain access to a user's account.
> 
> This flaw allows unauthorized disclosure and modification of information,
> and it allows disruption of service.
> 
>  
> 
> *Vulnerable versions*
> 
> 4.1.3pl3, 4.1.4pl3 & 4.1.5pl1
> 
>  
> 
> *Non-vulnerable Packages*
> 
> . vBulletin prior to 4.1.3
> 
> *Vendor Information, Solutions and Workarounds*
> 
> vBulletin team has released patches for this flaw and patch is released on
> 02-08-2011. 
> https://www.vbulletin.com/forum/showthread.php/385133-vBulletin-4.1.3-4.1.4-and-4.1.5-Security-Patch
> 
>  
> 
> *Credits*
> 
> This vulnerability was discovered by Muhammad Haroon from Innovative
> Solutions KSA. OWASP Chapter Lead of Pakistan. haroon [at] live [dot] it
> 
>  
> 
> *Proof of Concept Code*
> 
> This is a Cross Site Scripting (XSS) vulnerability within vBulletin
> community forum solution. In order to exploit this flaw following vector would
> be used.
> 
>  
> http://www.example.com/forums/admincp/?";><script>alert('Xss_found_By_M.Haroon')</script>
> 
>  
> 
> *Report Timeline*
> 
> 30-07-2011: Notifies the vBulletin team about the vulnerability.
> 31-07-2011: vBulletin Team ask for technical description about the flaw
> 31-07-2011: Technical Details sent to vbulletin team
> 02-08-2011: vBulletin notifies that a fix has been produced and is
> available to the users on 2nd August 2011
> 03-08-2011: Vulnerability publicly disclosed.

Did you request CVE-ID for this issue?

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] VBulletin adminCP Cross Site Scripting
  - From: HAroon .

Prev by Date: [Full-disclosure] Agnitio Security Code Review Tool v2.0 released
Next by Date: Re: [Full-disclosure] CAT Version 1 Released - Web App Testing Tool
Previous by thread: [Full-disclosure] VBulletin adminCP Cross Site Scripting
Next by thread: Re: [Full-disclosure] Why Block Mail-archive.com?
Index(es):
- Date
- Thread