<<< Date Index >>>     <<< Thread Index >>>

Re: XSS with Vbulletin (new idea !)



Standard vBulletin will not allow for inline display of any unsafe attachment 
type. This includes .SWF. If inline viewing of a potential unsafe attachment 
type is allowed, then this is either done by a modification or by a custom 
BB-code.

If the attachment can only be downloaded (like with default vBulletin), then it 
can never execute any code inside the webserver scope.

Conclusion: There is no vulnerability in vBulletin and this is a bogus report.