No announcement yet.

Bugtraq post: Input validation error in vB 2.x.x

  • Filter
  • Time
  • Show
Clear All
new posts

  • Bugtraq post: Input validation error in vB 2.x.x

    I am not the author of this report, nor have I checked to see if its claims are valid. This was received today via Bugtraq. Copied here for those who may be interested:

    VBulletin discussion forum ( does not properly validate the input for html tag enabled forums, allowing arbitrary JavaScript code to be run for any access level user.
    Prof of concept:
    <b onMouseOver="alert(document.location);">This piece of text could be dangerous if you were to move your mouse over it!</b>
    In action here:
    Disable the ability to post messages containing HTML code
    Vulnerable Versions:
    Not vulnerable:
    Special thanks
    To Pete Foster <[email protected]> for finding the same problem in phpBB which gave me idea to investigate.
    Dorin Balanica
    [email protected]
    Security Officer,

  • #2
    P.S. -- Before we get the all-too-often rehashed feedback on this, remember that Jelsoft recommends that administrators disable html completely on their forums unless it's deployed in a secure environment.

    Our forum implementation does not allow html posts. This does not concern me. I'm providing a copy for convenience only.

    Edit: It appears that the admin demo forum was reset after the Bugtraq report was made. I've enabled html and posted a test post available here using the instructions offered above:;threadid=1
    Last edited by Paul; Wed 11 Dec '02, 5:00pm.


    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.