vbulletinXSSpasswd.txt

`——–Summary——–  
Software: vBulletin  
Sowtware’s Web Site: http://www.vBulletin.com  
Versions: 3.0.12-3.5.3  
Class: Remote  
Status: Unpatched  
Exploit: Available  
Solution: Available  
Discovered by: imei addmimistrator  
Risk Level: Mediume  
——-Description——-  
There is a security bug in most powerfull & common forum software vBulletin version 3.0.12&3.5.3 that allows attacker performe a XSS attack. bug is in result of unsentizing quotation and < & > characters for “email” field of users’ information. a weak regular expression for validation email that allows insertiong unvalid characters in domain-name section of email is source of this bug and also forgot to htmlspeacialcharing output value in sendmsg.php file, helps exploiting this bug. a successfull attack can result to thefthing cookies, hijacking pages and etc   
——-Conditions——-  
AdminSetting Should meeted these settings:  
Enable Email features=Yes  
Allow Users to Email Other Members=Yes  
Use Secure Email Sending=No  
forum/admins/options.php?do=options&dogroup=email  
It sounds that conditions are defaultly OK;  
——-Exploit——-  
Scenario:  
/forum/profile.php?do=editpassword  
pass:your pass  
email: [email protected]”><script>alert(1)</script>.nomatt  
Note About lenght limitation   
****  
forum/profile.php?do=editoptions  
Receive Email from Other Members=yes  
****  
forum/sendmessage.php?do=mailmember&u={your id}  
——-Solution——-  
Upgrade to vendore provided patch.  
——-Credit——-  
Discovered by: imei addmimistrator  
addmimistrator(4}gmail(O}com  
`