Announcement

Collapse
No announcement yet.

Bugtraq post: Input validation error in vB 2.x.x

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Bugtraq post: Input validation error in vB 2.x.x

    I am not the author of this report, nor have I checked to see if its claims are valid. This was received today via Bugtraq. Copied here for those who may be interested:

    Description:
    ---------------
    VBulletin discussion forum (
    http://www.vbulletin.com) does not properly validate the input for html tag enabled forums, allowing arbitrary JavaScript code to be run for any access level user.
    Prof of concept:
    ----------------
    <b onMouseOver="alert(document.location);">This piece of text could be dangerous if you were to move your mouse over it!</b>
    In action here:
    http://www.vbulletin.com/admindemo/showthread.php?threadid=3
    Workaround:
    -----------
    Disable the ability to post messages containing HTML code
    Vulnerable Versions:
    --------------------
    2.2.7
    2.2.8
    Not vulnerable:
    ---------------
    ?
    Special thanks
    --------------
    To Pete Foster <[email protected]> for finding the same problem in phpBB which gave me idea to investigate.
    ---------------------------------
    Dorin Balanica
    [email protected]
    Security Officer,
    bados.com


  • #2
    P.S. -- Before we get the all-too-often rehashed feedback on this, remember that Jelsoft recommends that administrators disable html completely on their forums unless it's deployed in a secure environment.

    <disclaimer>
    Our forum implementation does not allow html posts. This does not concern me. I'm providing a copy for convenience only.
    </disclaimer>


    Edit: It appears that the admin demo forum was reset after the Bugtraq report was made. I've enabled html and posted a test post available here using the instructions offered above:

    http://www.vbulletin.com/admindemo/s...amp;threadid=1
    Last edited by Paul; Wed 11 Dec '02, 5:00pm.

    Comment

    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
    Working...
    X