Issues the date: 2008-08-20
Renewal date: 2008-08-22

Is affected the system:
VBulletin VBulletin 3.7.2 PL1
VBulletin VBulletin 3.6.10 PL3
Not affected system:
VBulletin VBulletin 3.7.2 PL2
VBulletin VBulletin 3.6.10 PL4
Description:
--------------------------------------------------------------------------------
BUGTRAQ ID: 30777

vBulletin is a section of open source code PHP forum procedure.

if the vBulletin forum has begun using Show New Private Message Notification Pop-Up option, because did not have to filter the security message header the input then to carry out the memory correctly, this possibly caused to pour into willfully HTML and the script code, and in glanced over time the malicious data carried out.

The following has crack's code section:

/-----------

<! --
// script to show new private message popup
if (confirm (“You have a new private message. \ n \ nSender:
[SENDER_USERNAME] \ nTitle: '[PRIVATE_MESSAGE_TITLE]' \ n \ nClick OK to view
it, or cancel to hide this prompt. “))
{
    // Output when OK is clicked
    if (confirm (“Open the message in a new window? \ n \ n (Press cancel to open
in the current window.) “))
    {
        var winobj =
window.open (“private.php? do=showpm&pmid=[PRIVATE_MESSAGE_ID]”, “pmnew”,
“statusbar=yes, menubar=yes, scrollbars=yes, toolbar=yes, location=yes, directories=yes, resizable=yes, top=50, left=50”);  if (winobj == null)
        {
            alert (“Unable to open a new browser window, \ n This might be due to a
'popup blocker'”);
        }
    }
    else
    {
        window.location = “private.php? do=showpm&pmid=[PRIVATE_MESSAGE_ID]”;
    }
}
// end pm popup script
//-- >

- -----------/

Before has cancelled in the global.php document to install/vbulletin-style.xml in the $newpm[title] variable filtration, has only carried out the oblique line figurative meaning:

/-----------

//
#############################################################################
// get new private message popup
$shownewpm = false;
if ($vbulletin->userinfo ['pmpopup'] == 2 AND
$vbulletin->options ['checknewpm'] AND $vbulletin->userinfo ['userid'] AND
! defined ('NOPMPOPUP'))
{
    $userdm =& datamanager_init ('User', $vbulletin, ERRTYPE_SILENT);
    $userdm->set_existing($vbulletin->userinfo);
    $userdm->set ('pmpopup', 1);
    $userdm->save (true, 'pmpopup');    // 'pmpopup' tells db_update to issue a
shutdownquery of the same name
    unset($userdm);

    if (THIS_SCRIPT! = 'private' AND THIS_SCRIPT! = 'login')