# Date: 25.03.2012
# Author: Sony , Flexxpoint and .e0f
# Software Link: https://www.vbulletin.com/
# Web Browser : Mozilla Firefox
# Blog Flexxpoint: http://flexxpoint.blogspot.com/
# Blog Sony: http://st2tea.blogspot.com
# Site : http://insecurity.ro
..................................................................
Well, we have an interesting xss in vBulletin 4.1.10 - 4.1.11 (maybe other version)
We have xss in the a lot of places.
https://www.vbulletin.com/forum/blog.php
https://www.vbulletin.com/forum/
https://www.vbulletin.com/forum/group.php
etc..
Simple Example:
https://www.vbulletin.com/forum/group.php
Click on URL and put our xss code in the URL:
And press button Ok and button Preview Message.
We can see xss. It's in all places, where we can use "url".
How you can use this? idk..
But i know what you can use..
Create new topic, put our xss in the "url" and click on Promote to Article..
or Blog this Post..
It's a hard, but possibly.
Simple Video PoC:
Or example on http://www.chinclub.ru/forum.php
http://www.chinclub.ru/showthread.php?p=257153
(It's topic) You can create other with xss (for example).
But we need give other link for users or admin ..(link Blog this Post)
http://www.chinclub.ru/blog_post.php?do=newblog&p=257153
And here we can see our persistent xss and..hmm..
We test this on some forums. It's work.
Demo vBulletin Forum. Version 4.1.10.
https://www.vbulletin.com/admindemo.php
It's Work in other version too.
And..
Today i saw one clip by .e0f, it's too about vBulletin:
http://vimeo.com/39049790
Method is very interesting. It's not in "url".
We can see is here:
http://www.1337day.com/exploits/17824?utm_source=dlvr.it&utm_medium=twitter
vBulletin 4.1.10 XSS Vulnerability 2x from root and toor on Vimeo.
0 comentarii:
Trimiteți un comentariu
Rețineți: Numai membrii acestui blog pot posta comentarii.