Vulnerabilities > CVE-2006-1040 - HTML Injection vulnerability in Jelsoft Vbulletin 3.0.12/3.5.3

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
jelsoft
nessus
exploit available

Summary

Cross-site scripting (XSS) vulnerability in vBulletin 3.0.12 and 3.5.3 allows remote attackers to inject arbitrary web script or HTML via the email field, which is injected in profile.php but not sanitized in sendmsg.php. This vulnerability affects all versions of Jelsoft, vBulletin between 3.0.12 and 3.5.3

Vulnerable Configurations

Part Description Count
Application
Jelsoft
2

Exploit-Db

descriptionVBulletin 3.0/3.5 Profile.PHP Email Field HTML Injection Vulnerability. CVE-2006-1040. Webapps exploit for php platform
idEDB-ID:27343
last seen2016-02-03
modified2006-03-02
published2006-03-02
reporterimei
sourcehttps://www.exploit-db.com/download/27343/
titleVBulletin 3.0/3.5 Profile.PHP Email Field HTML Injection Vulnerability

Nessus

NASL familyCGI abuses
NASL idVBULLETIN_354.NASL
descriptionAccording to its banner, the version of vBulletin installed on the remote host does not properly sanitize user-supplied-input to the email field in the
last seen2020-06-01
modified2020-06-02
plugin id20992
published2006-03-03
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20992
titlevBulletin Email Field XSS
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description) {
  script_id(20992);
  script_version("1.21");

  script_cve_id("CVE-2006-1040");
  script_bugtraq_id(16919);

  script_name(english:"vBulletin Email Field XSS");
  script_summary(english:"Checks version number of vBulletin");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by a
cross-site scripting issue." );
 script_set_attribute(attribute:"description", value:
"According to its banner, the version of vBulletin installed on the
remote host does not properly sanitize user-supplied-input to the
email field in the 'profile.php' script.  Using a specially crafted
email address in his profile, an authenticated attacker can leverage
this issue to inject arbitrary HTML and script code into the browsers
of users who view the attacker's profile." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/426537/30/0/threaded" );
 script_set_attribute(attribute:"see_also", value:"https://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/180521-vbulletin-3-5-4-released?t=176170" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to vBulletin 3.5.4 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2006/03/03");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/03/02");

 script_cvs_date("Date: 2018/11/15 20:50:19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:jelsoft:vbulletin");
script_end_attributes();


  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("vbulletin_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/vBulletin");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


# Test an install.
install = get_kb_item(string("www/", port, "/vBulletin"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
  ver = matches[1];

  if (ver =~ "^([0-2]\.|3\.([0-4]\.|5\.[0-3]))") {
    security_warning(port);
    set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
    exit(0);
  }
}