BID:30134

vBulletin 'adminlog.php' Request Logging HTML Injection Vulnerability

Info

vBulletin 'adminlog.php' Request Logging HTML Injection Vulnerability

Bugtraq ID:	30134
Class:	Input Validation Error
CVE:	CVE-2008-3184
Remote:	Yes
Local:	No
Published:	Jul 08 2008 12:00AM
Updated:	May 07 2015 05:27PM
Credit:	Jessica Hope and anonymous researchers
Vulnerable:	VBulletin VBulletin 3.7.2 PL1 VBulletin VBulletin 3.7.1 PL1 VBulletin VBulletin 3.7.1 VBulletin VBulletin 3.7 Gold VBulletin VBulletin 3.6.10 PL1 VBulletin VBulletin 3.6.10 VBulletin VBulletin 3.6.9 VBulletin VBulletin 3.6.8 VBulletin VBulletin 3.6.7 VBulletin VBulletin 3.6.6 VBulletin VBulletin 3.6.5 VBulletin VBulletin 3.6.4 VBulletin VBulletin 3.6.3 VBulletin VBulletin 3.6.2 VBulletin VBulletin 3.6.1 VBulletin VBulletin 3.6 VBulletin VBulletin 3.5.4 VBulletin VBulletin 3.5.3 VBulletin VBulletin 3.5.2 VBulletin VBulletin 3.5.1 VBulletin VBulletin 3.0.15 VBulletin VBulletin 3.0.14 VBulletin VBulletin 3.0.12 VBulletin VBulletin 3.0.11 VBulletin VBulletin 3.0.10 VBulletin VBulletin 3.0.9 VBulletin VBulletin 3.0.8 VBulletin VBulletin 3.0.7 VBulletin VBulletin 3.0.6 VBulletin VBulletin 3.0.5 VBulletin VBulletin 3.0.4 VBulletin VBulletin 3.0.3 VBulletin VBulletin 3.0.2 VBulletin VBulletin 3.0.1 VBulletin VBulletin 3.0 Gamma VBulletin VBulletin 3.0 beta 7 VBulletin VBulletin 3.0 beta 6 VBulletin VBulletin 3.0 beta 5 VBulletin VBulletin 3.0 beta 4 VBulletin VBulletin 3.0 beta 3 VBulletin VBulletin 3.0 beta 2 VBulletin VBulletin 3.0 VBulletin VBulletin 2.3.8 VBulletin VBulletin 2.3.4 VBulletin VBulletin 2.3.3 VBulletin VBulletin 2.3.2 VBulletin VBulletin 2.3 .0 VBulletin VBulletin 2.2.9 VBulletin VBulletin 2.2.8 VBulletin VBulletin 2.2.7 VBulletin VBulletin 2.2.6 VBulletin VBulletin 2.2.5 VBulletin VBulletin 2.2.4 VBulletin VBulletin 2.2.3 VBulletin VBulletin 2.2.2 VBulletin VBulletin 2.2.1 VBulletin VBulletin 2.2 .0 VBulletin VBulletin 2.0.3 VBulletin VBulletin 2.0 rc 3 VBulletin VBulletin 2.0 rc 2 VBulletin VBulletin 1.0.1 lite VBulletin VBulletin 3.7.1 PL2 VBulletin VBulletin 3.6.10 PL2 VBulletin VBulletin 3.5.x

Not Vulnerable:	VBulletin VBulletin 3.7.2 PL1 VBulletin VBulletin 3.6.10 PL3

Discussion

vBulletin 'adminlog.php' Request Logging HTML Injection Vulnerability

vBulletin is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Versions prior to vBulletin 3.7.2 PL1 and 3.6.10 PL3 are vulnerable.

Exploit / POC

vBulletin 'adminlog.php' Request Logging HTML Injection Vulnerability

Attackers can use a browser to exploit this issue.

The following exploit code is available:

/data/vulnerabilities/exploits/30134.html

Solution / Fix

vBulletin 'adminlog.php' Request Logging HTML Injection Vulnerability

Solution:
The vendor has released patches. Please see the references for more information.

References

vBulletin 'adminlog.php' Request Logging HTML Injection Vulnerability

References:

vBulletin 3.7.2 PL1 and 3.6.10 PL3 Released (vBulletin)
vBulletin Homepage (vBulletin)
XSS in admin logs - vBulletin 3.7.2 and lower, vBulletin 3.6.10 PL2 and lower ("Jessica Hope" )