mailing list archives
[CVE-ID REQUEST] vBulletin - Multiple Open Redirects
From: Robert Gilbert <rgilbert () halock com>
Date: Thu, 2 Jun 2011 14:46:52 -0500
Version: 3 - 4.1.3
Release Date: 06/02/2011
Authentication: Not required to exploit.
Multiple Open Redirect vulnerabilities in vBulletin version 4.1.3 and below allow remote attackers to redirect users to
arbitrary web sites and conduct phishing attacks via the "url" parameter. By appending ?url=http://attackersite.com any
number of pages, the user will be redirected to a potentially dangerous site. This is particularly interesting when
used on the registration form or the password reset form.
Vendor Notified: Yes
HALOCK Security Labs, Purpose Driven Security(tm)
rgilbert [-at-] halock [-dot-] com
Note: This message (including any attachments) is intended only for the use of the individual or entity to which it is
addressed and may contain information that is non-public, proprietary, privileged, and/or confidential. If you are not
the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication in error, please notify us immediately by
telephone and delete this message immediately.
- [CVE-ID REQUEST] vBulletin - Multiple Open Redirects Robert Gilbert (Jun 03)