Marecki on 14/12/2002 at 01:08
<a onMouseOver="alert(document.cookie);" href="http://www.somethingawful.com/">Just a harmless link... or is it</a>
Enable JavaScript in your browser, then point at the underlined text above. Yes, that's right; you don't even have to click it.
At the moment there are three known vulnerabilities in vBulletin, two of which I've managed to reproduce at our forums. This one is the most recent and the most serious of them because unlike the other two, which require the victim to click the malicious link and therefore make it possible to see the URI prior to the action, in this case all that has to be done is positioning your pointer above the malicious tag. Unless one looks at the source code of the page, there is no way of finding out something is amiss. And the attack doesn't have to be delivered through links... How about <b onMouseOver="alert(document.cookie);">a string of bold text</b> or <hr onMouseOver="alert(document.location);">a simple decorative element?
The code injected above is harmless because it's local. It is however trivial to make your cookie data be sent to a remote URI where a logging script (many are available) stores it for possible future use - and that is still far from all that can be done with JavaScript.
I urge everyone to keep JavaScript support disabled in your browsers by default and enable it only when necessary. It's a good rule: while here you have little to fear from script kiddies, the Web is a dark place nowadays.
Para?noid on 14/12/2002 at 01:31
DON YOUR TINFOIL HATS
MsLedd on 14/12/2002 at 07:23
Thanks for the heads-up Marecki!
I have disabled the offending codes (as far as I know) can you provide a link with more information on this vulnerability?
