vBulletin versions 3.8.x through 4.1.11 suffer from multiple cross site scripting vulnerabilities.
1e826acb7f4efb5e1bd9d1fcf96b270e09d5a2146f0aa55e26fb9a926c1f176e
# Exploit Title: vBulletin 4.1.10 - 4.1.11 Cross Site Scripting
# Date: 25.03.2012
# Author: Sony and Flexxpoint
# Software Link: https://www.vbulletin.com/
# Web Browser : Mozilla Firefox
# Blog Flexxpoint: http://flexxpoint.blogspot.com/
# Blog Sony: http://st2tea.blogspot.com
# Site : http://insecurity.ro
..................................................................
Well, we have an interesting xss in vBulletin 4.1.10 - 4.1.11 (maybe other
version)
We have xss in a lot of places.
https://www.vbulletin.com/forum/blog.php
https://www.vbulletin.com/forum/
https://www.vbulletin.com/forum/group.php
etc..
Simple Example:
https://www.vbulletin.com/forum/group.php
http://2.bp.blogspot.com/-BGr5Gpx3hcU/T25sVUwAXOI/AAAAAAAAA1k/ZMIHWQ33RJM/s1600/demo.JPG
Click on URL and put our xss code in the URL:
http://2.bp.blogspot.com/-u4MX7TvWS0I/T25tETfkJCI/AAAAAAAAA1w/eCYX2ANJAC8/s1600/demo2.JPG
And press button Ok and button Preview Message.
http://4.bp.blogspot.com/-Nu2V0B8a9X8/T25ueP3feZI/AAAAAAAAA18/PzTyykhnRsA/s1600/demo3.JPG
We can see xss. It's in all places, where we can use "url".
How you can use this? idk..
But i know what you can use..
Create new topic, put our xss in the "url" and click on Promote to Article..
http://2.bp.blogspot.com/-jjoVibvT6Jc/T25w8Y44ihI/AAAAAAAAA2I/49o61qj0-Go/s1600/pr.JPG
or Blog this Post..
http://3.bp.blogspot.com/-Z1d0eiIjvAw/T25xa3qvmyI/AAAAAAAAA2U/mzmP5SU3qTA/s1600/blog.JPG
It's a hard, but possibly.
Simple Video PoC:
http://www.youtube.com/watch?v=endyyK1rW4k
Or example on http://www.chinclub.ru/forum.php
http://www.chinclub.ru/showthread.php?p=257153
(It's topic) You can create other with xss (for example).
But we can give other link for users or admin ..(link Blog this Post)
http://www.chinclub.ru/blog_post.php?do=newblog&p=257153
And here we can see our persistent xss and..hmm..
We test this on some forums. It's work.
Demo vBulletin Forum. Version 4.1.10.
https://www.vbulletin.com/admindemo.php
PoC original:
http://st2tea.blogspot.com/2012/03/vbulletin-4110-4111-cross-site.html