VBulletin AdminCP Index.PHP Multiple Cross-Site Scripting Vulnerability

Discussion in 'vBulletin' started by Libertate, Feb 6, 2007.

  1. #1
    Poped up on Bugtraq. I have not confirmed this yet.
     
    Libertate, Feb 6, 2007 IP
  2. JRBHosting

    JRBHosting Peon

    Messages:
    121
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Does anyone know if this XSS can be triggered without logging into the ACP?
     
    JRBHosting, Feb 6, 2007 IP
  3. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,219
    Likes Received:
    777
    Best Answers:
    0
    Trophy Points:
    0
    #3
    The only people able to access the ACP are those who know the password, so that eliminates a big part of the threat. They also tend to be those who sanitize the input themselves by default. I don't see how an attacker can benefit from this unless he uses a compromised ACP.
     
    T0PS3O, Feb 6, 2007 IP
  4. Libertate

    Libertate Guest

    Messages:
    342
    Likes Received:
    14
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Apologies vB. My presumption was incorrect.

    As I have a staff that goes through piles and piles of warnings, I do not dig deep enough to see if the software publisher was notified. We presumed by default that bugtraq or at least hackerscenter have enough sense to notified vB.

    Again, to vB - my apologies.

    A quick fix to the problem is, and in general a very good practice, to additionally restrict access to the /admincp/ folder through .htaccess.
     
    Libertate, Feb 7, 2007 IP
  5. Bleachwork

    Bleachwork Peon

    Messages:
    31
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    0
    #5
    In addition to the .htaccess file, renaming the default folder /admincp/ also helps, in case you accidently delete the command out of the file.
     
    Bleachwork, Feb 7, 2007 IP
  6. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #6
    See Kier's responses to this here.
     
    minstrel, Feb 17, 2007 IP