Basically when researching this vulnerability I found out a “new” way: (at least in my little world) http://forum.intern0t.net/exploits-vulnerabilities-pocs/1502-vbulletin-3-8-4-cross-site-script-redirection.html http://forum.intern0t.net/blogs/maxe/62-having-fun-cross-site-scripting.html
Which wouldn’t really do anything, but if you apply “new line” or “carriage return” (%0a or %0d) to the url then you have all the power in the world.
// %0A ( \n aka new line )
I know it looks so simple and anyone could have come up with that, but I haven’t seen it yet anywhere on the net and it made my day.
Pretty clever filter evasion there. Easy enough to patch, of course, but just another great example of how people’s mis-understanding of the protocol and languages they are attempting to thwart works against them. Chalk this up to another blacklist that shouldn’t exist.