Next Page >>
vBulletin
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
vBulletin Cross Site Scripting Vulnerability
*Advisory Information*
Title: vBulletin Cross Site Scripting Vulnerability
*Advisory Information*
Title: vBulletin Cross Site Scripting Vulnerability
Vendors contacted: vBulletin team
----
*Vulnerability Information*
Class: XSS flaw
Vulnerable page: Admin Login Page (admincp)
Remotely Exploitable: Yes
vBulletin - XSS Filter Bypass within Profile Customization
Versions Affected: 4.0.8 PL1 (3.8.* is not vulnerable.)
Info:
Content publishing, search, security, and more - vBulletin has it all.
Whether it's available features, support, or ease-of-use, vBulletin offers
the most for your money. Learn more about what makes vBulletin the
choice for people who are serious about creating thriving online communities.
vBulletin - Persistent Cross Site Scripting via Profile Customization
Versions Affected: 4.0.8 (3.8.* is not vulnerable.)
Info:
Content publishing, search, security, and more— vBulletin has it all.
Whether it’s available features, support, or ease-of-use, vBulletin offers
the most for your money. Learn more about what makes vBulletin the
choice for people who are serious about creating thriving online communities.
======================================================================
Advisory : Exploit for vBulletin "obscure" XSS
Release Date : June 13th 2008
Application : vBulletin
Version : vBulletin 3.7.1 and lower, vBulletin 3.6.10 and lower
Platform : PHP
Vendor URL : http://www.vbulletin.com/
Authors : Jessica Hope (jessicasaulhope@googlemail.com)
======================================================================
Advisory : XSS in admin logs
Release Date : July 06th 2008
Application : vBulletin
Version : vBulletin 3.7.2 and lower, vBulletin 3.6.10 PL2 and lower
Platform : PHP
Vendor URL : http://www.vbulletin.com/
Authors : Jessica Hope (jessicasaulhope@googlemail.com),
Friends who wish to remain anonymous.
[waraxe-2008-SA#069] - Multiple Sql Injection in vBulletin 3.7.4
===============================================================================
Author: Janek Vind "waraxe"
Date: 17. November 2008
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-69.html
-----Original Message-----
From: advisories@intern0t.net [mailto:advisories@intern0t.net]
Sent: jeudi 22 juillet 2010 20:17
To: bugtraq@securityfocus.com
Subject: vBulletin - Critical Information Disclosure
Versions Affected: 3.8.6 (Only!)
Info:
Content publishing, search, security, and more-vBulletin has it all. Whether
[waraxe-2008-SA#068] - Sql Injection in vBulletin 3.7.3.pl1
===============================================================================
Author: Janek Vind "waraxe"
Date: 17. November 2008
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-68.html
claim to be
security conscious, regarding their handling of file uploads with regard to
handling mime sniffing.
We surveyed MyBB (1.4.5), SMF (1.1.18 / 2.0RC1), phpBB (2.0.23/3.0.4),
FluxBB (1.3),
phorum (5.2.10), WBB (lite/3.0.8) and vBulletin (3.8.2).
Of the surveyed scripts, only phpBB and vBulletin had sufficient safeguards
against attacks using mime sniffing in place. All other scripts were found to be
vulnerable.
We consider it to be remarkable that a suprisingly big number of scripts had
Versions Affected: 3.8.6 (Only!)
Info:
Content publishing, search, security, and more—vBulletin has it all. Whether
it’s available features, support, or ease-of-use, vBulletin offers the most for
your money. Learn more about what makes vBulletin the choice for people
who are serious about creating thriving online communities.
External Links:
http://www.vbulletin.com/
# Exploit Title: Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL
injection Vulnerability 0-day
# Google Dork: intitle: powered by Vbulletin 4
# Date: 20/07/2011
# Author: FB1H2S
# Software Link: [[url]http://www.vbulletin.com/][/url]
# Version: [4.x.x]
# Tested on: [relevant os]
# CVE : [[url]http://members.vbulletin.com/][/url]
vBulletin - Insecure Custom BBCode Tags
Versions Affected: 3.8.4 PL2 (Most likely all versions)
Info:
Content publishing, search, security, and more—vBulletin has it all. Whether
it’s available features, support, or ease-of-use, vBulletin offers the most for
your money. Learn more about what makes vBulletin the choice for people
who are serious about creating thriving online communities.
======================================================================
Advisory : XSS in modcp index
Release Date : June 17th 2008
Application : vBulletin
Version : vBulletin 3.7.1 PL1 and lower, vBulletin 3.6.10 PL1 and lower
Platform : PHP
Vendor URL : http://www.vbulletin.com/
Authors : Jessica Hope (jessicasaulhope@googlemail.com),
Friends who wish to remain anonymous.
======================================================================
Advisory : XSS in modcp index
Release Date : June 17th 2008
Application : vBulletin
Version : vBulletin 3.7.1 PL1 and lower, vBulletin 3.6.10 PL1 and lower
Platform : PHP
Vendor URL : http://www.vbulletin.com/
Authors : Jessica Hope (jessicasaulhope@googlemail.com),
Friends who wish to remain anonymous.
vBulletin - Cross Site Script Redirection
Versions Affected: 3.8.4 / 3.7.6 / 3.6.12
Patches Available: 3.8.4PL1 / 3.7.6PL1 / 3.6.12PL1
Info: An XSS flaw within the user profile page has recently been discovered.
This could allow an attacker to carry out an action as a user or obtain
access to a user's account. To resolve this issue, it has been necessary to
release a patch level version of the active versions of vBulletin.
#!usr/bin/perl
#vBulletin® Version 3.8.2 D3n14l 0f S3rv1c3 Expl01t
#HaCker Anger - Qkk@Hotmail.Fr
########################################################################
# Modules #
########################################################################
use IO::SOCKET; # Object interface #
########################################################################
if (@ARGV<1){
print"
Am Samstag 05 Januar 2008 22:46:14 schrieb nbbn@gmx.net:
> ###############################################################
> Autor: NBBN
> Founded: 5, January 2008
> vBulletin Version: 3.6.8 Patch Level x and possible lower
> Type: XSRF/XSS
> Risk: Medium
> ###############################################################
>
> ##Explanation(english)##
###############################################################
Autor: NBBN
Founded: 5, January 2008
vBulletin Version: 3.6.8 Patch Level x and possible lower
Type: XSRF/XSS
Risk: Medium
###############################################################
##Explanation(english)##
By Hasadya Raed
Contact : RaeD (at) BsdMail (dot) Com [email concealed] - Israel
Greetz : -Fairoz-
-----------------------------------
vBulletin v3.6.5
Dork : "Powered by vBulletin v3.6.5. Copyright ©2000 - 2007 "
-----------------------------------
Exploits :
Http://WWW.Victim.Com/vb/includes/functions.php?classfile=[Shell-Attack]
Product: vBulletin
Version: 3 - 4.1.3
Release Date: 06/02/2011
Risk: Low
Authentication: Not required to exploit.
Remote: Yes
Description:
Multiple Open Redirect vulnerabilities in vBulletin version 4.1.3 and below allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the "url" parameter. By appending ?url=http://attackersite.com any number of pages, the user will be redirected to a potentially dangerous site. This is particularly interesting when used on the registration form or the password reset form.
Product Imnformation
--------------------
PhotoPost vBGallery is a popular commercial Image Gallery Add-on fr
vBulletin which is being developed by All Enthusiasts, Inc.
http://www.photopost.com
Description
-----------
PhotoPost vBGallery 2.5 allows the user to modify gallery settings for
his profile page if the function is enabeld and the user has permission
vBulletin 3.8.2 adminCP Cross-Site Scripting
R.I.P DrtRp - We miss you
---------------------------------------------
Original Post at http://forum.aria-security.com/en/showthread.php?p=1179
Greetz to Aura & all Aria-Security Mods & Members
These were all tested on vbulletin 3.8.0 RC2 so other version may be effected.
1. Users Title. admincp/usertitle.php?do=modify. Add a new title. use the following code as title name.
#Discovred By : Hasadya Raed
----------------
#Contact : RaeD@BsdMail.Cpm
----------------
#Script: vBulletin V3.6.8ulletin V3.6.8
----------------
#Dork: vBulletin V3.6.8ulletin V3.6.8
----------------
#Exploit :
By Hasadya Raed
Contact : RaeD@BsdMail.Com - Israel
Greetz : -Fairoz-
-----------------------------------
vBulletin v3.6.5
Dork : "Powered by vBulletin v3.6.5. Copyright ©2000 - 2007 "
-----------------------------------
Exploits :
Http://WWW.Victim.Com/vb/includes/functions.php?classfile=[Shell-Attack]
Multicards, E-Gold and Clickbank payment systems (see list of integrated payment systems) and
allows you to setup paid-membership areas on your site. It can also be used without any payment
system - you can manage users manually.
aMember Pro also supports integration plugins to link users database with third-party scripts,
for example vBulletin, Joomla, WordPress (see list of integration plugins).
aMember is a perfect membership software for selling digital subscriptions and downloads.
Opinion: CGI Systems' website has an XSS issue too, they obviously don't realise the impact of XSS.
Credits: Matt, fiftysixer, mind_warlock, fourthdimension, NetRolller3D, ha.ckers, webDEViL and all of InterN0T :)
###############################################
# Vendor: vBulletin
# Affected versions: 3.7.x - 3.8.x
# Mod: Two-Step External Link
# URL: http://www.vbulletin.org/forum/showthread.php?t=217708
# Vulnerability type: XSS
# Risk rating: Medium
###############################################
# [Exploit]
# http://[FORUM]/externalredirect.php?url=XSS
Description: With this file you can see all files(.sql - .tar.gz - .zip - .rar - .php - .anything) / directories from the folder with vBulletin installed...
Exploit: http://www.website.com/vB_forum/validator.php
Author: PaxNwo ( www.rstcenter.com )
3. $specialtemplates isn't even used.
Rather than just searching for require_once / include_once in the code maybe actually read the context or even do some testing?
Scott MacVicar
Development Team, vBulletin
This exploit is valid. We've just exploted it.
VBulletin 3.7.0 Gold.
martin.meredith@vbulletin.com wrote:
> This is invalid. the variable q is taken, split into words, and then each word is escaped for usage within the DB.
>
> Once again, this is invalid
>
Next Page>>
|
