Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

vBulletin 4.0.8 Cross Site Scripting

🗓️ 16 Nov 2010 00:00:00Reported by MaXeType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 16 Views

vBulletin 4.0.8 Persistent XSS in Profile Customization featur

Code
`vBulletin - Persistent Cross Site Scripting via Profile Customization  
  
  
Versions Affected: 4.0.8 (3.8.* is not vulnerable.)  
  
Info:  
Content publishing, search, security, and more— vBulletin has it all.  
Whether it’s available features, support, or ease-of-use, vBulletin offers  
the most for your money. Learn more about what makes vBulletin the  
choice for people who are serious about creating thriving online communities.  
  
External Links:  
http://www.vbulletin.com  
  
Credits: MaXe (@InterN0T)  
  
  
-:: The Advisory ::-  
vBulletin is prone to a Persistent Cross Site Scripting vulnerability within the  
Profile Customization feature. If this feature is not enabled the vulnerability   
does not exist and the installation of vBulletin is thereby secure.  
  
Within the profile customization fields, it is possible to enter colour codes,  
rgb codes and even images. The image url() function does not sanitize user  
input in a sufficient way causing vBulletin to be vulnerable to XSS attacks.  
  
[1] Private Reflected XSS:  
An attacker can inject scripts in a simple way, which is only visible to the attacker.  
  
Proof of Concept:  
url(</script><img src="x:x" onerror="alert(String.fromCharCode(73,110,116,101,114,78,48,84,11))" />)  
(This is only visible to the attacker when he or she is logged in, and browsing his or her own profile.)  
  
[2] Global Reflected XSS:  
An attacker can inject malicious CSS data executing javascript, which is then visible  
to anyone browsing the user profile. Even guests visiting the malicious user profile.  
  
Proof of Concept: (IE6 only, may not work in IE7+ and FF)  
url(/);background:url(javascript:document.write(1337))  
url(/);width:expression(alert('www.intern0t.net'))  
  
  
Please note that some of these strings may be too long to be injected. However a  
blog entry at Exploit-DB and a video on YouTube will be released very soon.  
  
  
-:: Solution ::-  
Turn off profile customization immediately for users able to customize their profile!  
When a security patch has been provided by the vendor, enable this feature again.  
  
  
Disclosure Information:  
- Vulnerability found and researched: 11th November 2010  
- Vendor (vBulletin Solutions / IB) contacted: 11th November  
- Disclosed to Exploit-DB, Bugtraq and InterN0T: 14th November  
  
References:  
http://forum.intern0t.net/intern0t-advisories/3349-vbulletin-4-0-8-persistent-xss-profile-customization.html  
http://www.vbulletin.com/forum/showthread.php?366834-vbulletin-4-profile-customization-exploit  
http://blip.tv/file/4381880  
http://www.youtube.com/watch?v=LOcLFVAqgOU  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Nov 2010 00:00Current
0.1Low risk
Vulners AI Score0.1
vbulletinpersistent xssprofile customizationsecurity patchexploit-dbibintern0tvendor disclosure
16