Vulnerabilities > CVE-2005-3020 - Cross-Site Scripting vulnerability in VBulletin

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

jelsoft

nessus

exploit available

NVD

Published: 2005-09-21

Updated: 2017-07-11

Summary

Multiple cross-site scripting (XSS) vulnerabilities in vBulletin before 3.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) group parameter to css.php, (2) redirect parameter to index.php, (3) email parameter to user.php, (4) goto parameter to language.php, (5) orderby parameter to modlog.php, and the (6) hex, (7) rgb, or (8) expandset parameter to template.php.

Vulnerable Configurations

Part	Description	Count
Application	Jelsoft Jelsoft Vbulletin 1.0.1 Jelsoft Vbulletin 2.0.3 Jelsoft Vbulletin 2.0_Rc2 Jelsoft Vbulletin 2.0_Rc3 Jelsoft Vbulletin 2.2.0 Jelsoft Vbulletin 2.2.1 Jelsoft Vbulletin 2.2.2 Jelsoft Vbulletin 2.2.3 Jelsoft Vbulletin 2.2.4 Jelsoft Vbulletin 2.2.5 Jelsoft Vbulletin 2.2.6 Jelsoft Vbulletin 2.2.7 Jelsoft Vbulletin 2.2.8 Jelsoft Vbulletin 2.2.9 Jelsoft Vbulletin 2.3.0 Jelsoft Vbulletin 2.3.2 Jelsoft Vbulletin 2.3.3 Jelsoft Vbulletin 2.3.4 Jelsoft Vbulletin 3.0 Jelsoft Vbulletin 3.0.1 Jelsoft Vbulletin 3.0.2 Jelsoft Vbulletin 3.0.3 Jelsoft Vbulletin 3.0.4 Jelsoft Vbulletin 3.0.5 Jelsoft Vbulletin 3.0.6 Jelsoft Vbulletin 3.0.7 Jelsoft Vbulletin 3.0.8 Jelsoft Vbulletin 3.0.9 Jelsoft Vbulletin 3.0_Beta_2 Jelsoft Vbulletin 3.0_Beta_3 Jelsoft Vbulletin 3.0_Beta_4 Jelsoft Vbulletin 3.0_Beta_5 Jelsoft Vbulletin 3.0_Beta_6 Jelsoft Vbulletin 3.0_Beta_7 Jelsoft Vbulletin 3.0_Gamma	35

Exploit-Db

description	VBulletin 1.0.1 lite/2.x/3.0 /admincp/language.php goto Parameter XSS. CVE-2005-3020 . Webapps exploit for php platform
id	EDB-ID:26281
last seen	2016-02-03
modified	2005-09-19
published	2005-09-19
reporter	[email protected]
source	https://www.exploit-db.com/download/26281/
title	VBulletin 1.0.1 lite/2.x/3.0 /admincp/language.php goto Parameter XSS

description	VBulletin 1.0.1 lite/2.x/3.0 /admincp/template.php Multiple Parameter XSS. CVE-2005-3020. Webapps exploit for php platform
id	EDB-ID:26283
last seen	2016-02-03
modified	2005-09-19
published	2005-09-19
reporter	[email protected]
source	https://www.exploit-db.com/download/26283/
title	VBulletin 1.0.1 lite/2.x/3.0 /admincp/template.php Multiple Parameter XSS

description	VBulletin 1.0.1 lite/2.x/3.0 /admincp/user.php email Parameter XSS. CVE-2005-3020. Webapps exploit for php platform
id	EDB-ID:26280
last seen	2016-02-03
modified	2005-09-19
published	2005-09-19
reporter	[email protected]
source	https://www.exploit-db.com/download/26280/
title	VBulletin 1.0.1 lite/2.x/3.0 /admincp/user.php email Parameter XSS

description	VBulletin 1.0.1 lite/2.x/3.0 /admincp/modlog.php orderby Parameter XSS. CVE-2005-3020 . Webapps exploit for php platform
id	EDB-ID:26282
last seen	2016-02-03
modified	2005-09-19
published	2005-09-19
reporter	[email protected]
source	https://www.exploit-db.com/download/26282/
title	VBulletin 1.0.1 lite/2.x/3.0 /admincp/modlog.php orderby Parameter XSS

description	VBulletin 1.0.1 lite/2.x/3.0 /admincp/css.php group Parameter XSS. CVE-2005-3020 . Webapps exploit for php platform
id	EDB-ID:26278
last seen	2016-02-03
modified	2005-09-19
published	2005-09-19
reporter	[email protected]
source	https://www.exploit-db.com/download/26278/
title	VBulletin 1.0.1 lite/2.x/3.0 /admincp/css.php group Parameter XSS

Nessus

NASL family	CGI abuses
NASL id	VBULLETIN_309.NASL
description	The version of vBulletin installed on the remote host fails to properly sanitize user-supplied input to a number of parameters and scripts before using it in database queries and to generate dynamic HTML. An attacker can exploit these issues to launch SQL injection and cross-site scripting attacks against the affected application. Note that the affected scripts require moderator or administrator access, with the exception of
last seen	2020-06-01
modified	2020-06-02
plugin id	19760
published	2005-09-19
reporter	This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof..
source	https://www.tenable.com/plugins/nessus/19760
title	vBulletin <= 3.0.9 Multiple Vulnerabilities
code	# # (C) Tenable Network Security # include("compat.inc"); if (description) { script_id(19760); script_version ("1.26"); script_cve_id( "CVE-2005-3019", "CVE-2005-3020", "CVE-2005-3024", "CVE-2005-3025" ); script_bugtraq_id(14872, 14874); name["english"] = "vBulletin <= 3.0.9 Multiple Vulnerabilities"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP script that is vulnerable to several flaws." ); script_set_attribute(attribute:"description", value: "The version of vBulletin installed on the remote host fails to properly sanitize user-supplied input to a number of parameters and scripts before using it in database queries and to generate dynamic HTML. An attacker can exploit these issues to launch SQL injection and cross-site scripting attacks against the affected application. Note that the affected scripts require moderator or administrator access, with the exception of 'joinrequests.php'." ); script_set_attribute(attribute:"see_also", value:"http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt" ); script_set_attribute(attribute:"solution", value: "Upgrade to vBulletin 3.0.9 to resolve many but not all of these issues." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2005-3019"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"plugin_publication_date", value: "2005/09/19"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/17"); script_cvs_date("Date: 2018/09/17 21:46:53"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:jelsoft:vbulletin"); script_end_attributes(); summary["english"] = "Checks for multiple vulnerabilities in vBulletin <= 3.0.9"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.."); script_dependencies("vbulletin_detect.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/vBulletin"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80, php: TRUE); # Test an install. install = get_kb_item_or_exit("www/"+port+ "/vBulletin"); matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { ver = matches[1]; # nb: 3.0.9 and below are affected. if (ver =~ "^([0-2]\.\|3\.0\.[0-9]($\|[^0-9]))") { security_hole(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); exit(0); } }

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References