vBulletin 3.8.x - 4.1.11 Cross Site Scripting

vBulletin 3.8.x - 4.1.11 Cross Site Scripting: Posted Mar 25, 2012; Authored by Sony, Flexxpoint; vBulletin versions 3.8.x through 4.1.11 suffer from multiple cross site scripting vulnerabilities.; tags | advisory, vulnerability, xss; SHA-256 | 1e826acb7f4efb5e1bd9d1fcf96b270e09d5a2146f0aa55e26fb9a926c1f176e; Download | Favorite | View

vBulletin 3.8.x - 4.1.11 Cross Site Scripting

# Exploit Title:  vBulletin 4.1.10 - 4.1.11 Cross Site Scripting
# Date: 25.03.2012
# Author: Sony and Flexxpoint
# Software Link: https://www.vbulletin.com/
# Web Browser : Mozilla Firefox
# Blog Flexxpoint: http://flexxpoint.blogspot.com/
# Blog Sony: http://st2tea.blogspot.com
# Site : http://insecurity.ro
..................................................................

Well, we have an interesting xss in vBulletin 4.1.10 - 4.1.11 (maybe other
version)

We have xss in a lot of places.

https://www.vbulletin.com/forum/blog.php
https://www.vbulletin.com/forum/
https://www.vbulletin.com/forum/group.php
etc..


Simple Example:

https://www.vbulletin.com/forum/group.php

http://2.bp.blogspot.com/-BGr5Gpx3hcU/T25sVUwAXOI/AAAAAAAAA1k/ZMIHWQ33RJM/s1600/demo.JPG

Click on URL and put our xss code in the URL:

http://2.bp.blogspot.com/-u4MX7TvWS0I/T25tETfkJCI/AAAAAAAAA1w/eCYX2ANJAC8/s1600/demo2.JPG

And press button Ok and button Preview Message.

http://4.bp.blogspot.com/-Nu2V0B8a9X8/T25ueP3feZI/AAAAAAAAA18/PzTyykhnRsA/s1600/demo3.JPG

We can see xss. It's in all places, where we can use "url".

How you can use this? idk..

But i know what you can use..

Create new topic, put our xss in the "url" and click on Promote to Article..

http://2.bp.blogspot.com/-jjoVibvT6Jc/T25w8Y44ihI/AAAAAAAAA2I/49o61qj0-Go/s1600/pr.JPG

or Blog this Post..

http://3.bp.blogspot.com/-Z1d0eiIjvAw/T25xa3qvmyI/AAAAAAAAA2U/mzmP5SU3qTA/s1600/blog.JPG

It's a hard, but possibly.

Simple Video PoC:

http://www.youtube.com/watch?v=endyyK1rW4k

Or example on http://www.chinclub.ru/forum.php

http://www.chinclub.ru/showthread.php?p=257153

(It's topic) You can create other with xss (for example).

But we can give other link for users or admin ..(link Blog this Post)

http://www.chinclub.ru/blog_post.php?do=newblog&p=257153

And here we can see our persistent xss and..hmm..

We test this on some forums. It's work.

Demo vBulletin Forum. Version 4.1.10.

https://www.vbulletin.com/admindemo.php

PoC original:

http://st2tea.blogspot.com/2012/03/vbulletin-4110-4111-cross-site.html

Top Authors In Last 30 Days

Red Hat 183 files
Ubuntu 59 files
Debian 20 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Google Security Research 6 files
E1.Coders 4 files
Ersin Erenler 4 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,007)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,166)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,459)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,428)
UNIX (9,390)
UnixWare (187)
Windows (6,647)
Other

vBulletin 3.8.x - 4.1.11 Cross Site Scripting

vBulletin 3.8.x - 4.1.11 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

vBulletin 3.8.x - 4.1.11 Cross Site Scripting

Share This

vBulletin 3.8.x - 4.1.11 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems