Home page logo

bugtraq logo Bugtraq mailing list archives

[CVE-ID REQUEST] vBulletin - Multiple Open Redirects
From: Robert Gilbert <rgilbert () halock com>
Date: Thu, 2 Jun 2011 14:46:52 -0500

Product: vBulletin
Version: 3 - 4.1.3
Release Date: 06/02/2011
Risk: Low
Authentication: Not required to exploit.
Remote: Yes

Multiple Open Redirect vulnerabilities in vBulletin version 4.1.3 and below allow remote attackers to redirect users to 
arbitrary web sites and conduct phishing attacks via the "url" parameter. By appending ?url=http://attackersite.com any 
number of pages, the user will be redirected to a potentially dangerous site. This is particularly interesting when 
used on the registration form or the password reset form. 

Exploit Example:

Vendor Notified: Yes



Robert Gilbert
Senior Consultant
HALOCK Security Labs, Purpose Driven Security(tm)
rgilbert [-at-] halock [-dot-] com 

Note: This message (including any attachments) is intended only for the use of the individual or entity to which it is 
addressed and may contain information that is non-public, proprietary, privileged, and/or confidential. If you are not 
the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this 
communication is strictly prohibited. If you have received this communication in error, please notify us immediately by 
telephone and delete this message immediately.

  By Date           By Thread  

Current thread:
  • [CVE-ID REQUEST] vBulletin - Multiple Open Redirects Robert Gilbert (Jun 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]