Wednesday 27 June 2012

vBulletin 4.2 persistent XSS

Because my bug leaked somehow, here you have full detailed info:

                                                                     
                                                                     
                                                                     
                                             
[ TITLE ....... ][ Persistent Cross-Site Scripting in vBulletin 4.2
[ DATE ........ ][ 15.06.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.vbulletin.com
[ VERSION ..... ][ 4.2
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?

 This is persistent cross-site scripting attack. 
Vulnerability can be exploited by normal ("registered") user.

[--------------------------------------------[
[ 3. Where is bug :)

To exploit this vulnerability we need (to create/register) account of normal user:

 3.1. Go to Your http://vBullet.in/forum/ and log in as a "normal user". (screen01)
 3.2. After login in, we are redirecting to /activity.php (This page is called 'Activity Stream').
 3.3. Now (as a registered user), we need to go to our /forum/calendar.php.
 3.4. We are now at "HOME-> Calendar ->Default Calendar". Now (on right) we must click 
      to 'Add new event'. (screen02)
 3.5. Vulnerable form here is 'Title'. To check it, type as a title something like:
      test-title'><h1>Hi<br>Noam</h1><script>alert(123);</script> (screen03).
 3.6. And now. Your 'new event' is added 'as a clear text' - by 'clear text' I mean
      'text only, without XSS'. But...
 3.7. Logout now, and log-in again. Your added XSS-code, will be presented at
      first page (activity.php) for user who will log in.

If You want re-test this bug, You should create 2 users: registered1 and registered2.
Add payload ('add new event') as a registered1, and log out. Now log-in as a registered2,
and after login-page, there should be trigerred XSS.


[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Pentests - mail me.
]
[ Best regards
[ 

Monday 4 June 2012

[EN] Persistent XSS for admin in WP 3.3.2 - wanna? ;)

Yes, yes, "for admin only".

...if 'admin' = user who can create something. But 'what'? ;]
I will tell first to all of You, who will send me mail ;)

(And yes, I just want to check, that you 'are' interested (or 'not') for 'bugs' in admin panels too.
Who knows, maybe some of You are paranoid like me ;P and want to 'secure all' ;D

If so, You know when You can find me ;)

Cheers o/

Sunday 3 June 2012

[EN] Joomla 2.5.4 - remote user logout bug

Yes, that seems to be, that in (still) latest Joomla (2.5.4) we have a so-called-bug.

By sending malformed request to the user, we are able to "logout" him.

Why this could be used for attack? So, badguy, can change (deface) your companys site,
and add there a password-stealer (to php code for example).

Now he can logout all users like a sniper. ;]

(Yes yes, there is a way from admin panel to do the same, but who cares...? ;))

I want finish some test right now, and for a few hours there will be update here.

...and thanks for watching at all-this-break ;)

Cheers o/
;)