Bugtraq mailing list archives
Input Validation Error in vbulletin 2.2.x
From: "Dorin Balanica" <dorin () bados com>
Date: Sun, 8 Dec 2002 06:01:20 +0200
Description: --------------- VBulletin discussion forum (http://www.vbulletin.com) does not properly validate the input for html tag enabled forums, allowing arbitrary JavaScript code to be run for any access level user. Prof of concept: ---------------- <b onMouseOver="alert(document.location);">This piece of text could be dangerous if you were to move your mouse over it!</b> In action here: http://www.vbulletin.com/admindemo/showthread.php?threadid=3 Workaround: ----------- Disable the ability to post messages containing HTML code Vulnerable Versions: -------------------- 2.2.7 2.2.8 Not vulnerable: --------------- ? Special thanks -------------- To Pete Foster <pete () sec-tec demon co uk> for finding the same problem in phpBB which gave me idea to investigate. --------------------------------- Dorin Balanica dorin () bados com Security Officer, bados.com
Current thread:
- Cross-site Scripting Vulnerability in phpBB 2.0.3 Fabricio Angeletti (Dec 05)
- Input Validation Error in vbulletin 2.2.x Dorin Balanica (Dec 11)