Wednesday 27 June 2012

vBulletin 4.2 persistent XSS

Because my bug leaked somehow, here you have full detailed info:

                                                                     
                                                                     
                                                                     
                                             
[ TITLE ....... ][ Persistent Cross-Site Scripting in vBulletin 4.2
[ DATE ........ ][ 15.06.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.vbulletin.com
[ VERSION ..... ][ 4.2
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?

 This is persistent cross-site scripting attack. 
Vulnerability can be exploited by normal ("registered") user.

[--------------------------------------------[
[ 3. Where is bug :)

To exploit this vulnerability we need (to create/register) account of normal user:

 3.1. Go to Your http://vBullet.in/forum/ and log in as a "normal user". (screen01)
 3.2. After login in, we are redirecting to /activity.php (This page is called 'Activity Stream').
 3.3. Now (as a registered user), we need to go to our /forum/calendar.php.
 3.4. We are now at "HOME-> Calendar ->Default Calendar". Now (on right) we must click 
      to 'Add new event'. (screen02)
 3.5. Vulnerable form here is 'Title'. To check it, type as a title something like:
      test-title'><h1>Hi<br>Noam</h1><script>alert(123);</script> (screen03).
 3.6. And now. Your 'new event' is added 'as a clear text' - by 'clear text' I mean
      'text only, without XSS'. But...
 3.7. Logout now, and log-in again. Your added XSS-code, will be presented at
      first page (activity.php) for user who will log in.

If You want re-test this bug, You should create 2 users: registered1 and registered2.
Add payload ('add new event') as a registered1, and log out. Now log-in as a registered2,
and after login-page, there should be trigerred XSS.


[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Pentests - mail me.
]
[ Best regards
[ 

3 comments:

  1. AWESOME BLOGSPOT

    ReplyDelete
  2. I need help hacking this site running vBulletin 4.2.2 if you can help contact me through k.mahenge [at] gmail [dot] com

    ReplyDelete
  3. kanamania: sorry man. I'm doing only legal contracts.

    ReplyDelete

What do You think...?