Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: bbs5764.htm

vBulletin XSS Exploit



18th Oct 2002 [SBWID-5764]
COMMAND

	vBulletin XSS

SYSTEMS AFFECTED

	Jelsoft vBulletin 2.2.0 - 2.2.8.

PROBLEM

	Sp.IC [SpeedICNet@Hotmail.Com] says :
	

	In global.php there is a variable [$scriptpath], the value of it is  the
	referred URL that the client came from. Move on to  admin/functions.php,
	in show_nopermission function the $scriptpath  is  called  as  a  global
	variable.  The  content  of   the   variable   gets   printed   in   the
	error_nopermission_loggedin template without  filtering  it.  So  if  we
	pass some tags and script codes in the URL and refresh the page it  will
	be printed in the no permission  template.  The  same  thing  with  $url
	variable which print its contents in many templates.
	

	+ Exploit:
	

	Note: Tested on Microsoft Internet Explorer 6.0 and vBulletin.com:
	

	    - Go to usercp.php?s=[Session ID]"><Script>alert(document.cookie);</Script> 

	      [You can use it wherever error_nopermission_loggedin get printed].

	    - A pop-up window will appear and you'll receive an error message.

	    - Then log in.

	    - Go back to the previous pages where you left the login form.

	    - Then the pop-up window will appear again containing the User ID and Password Hash.

	

	The same thing with $url templates.

SOLUTION

	Upgrade to vBulletin 3.0.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH