Saturday, June 23, 2012

[ TITLE ....... ][ vBulletin 4.1.12 Reflected XSS (try csrf*) for registered users
[ DATE ........ ][ 24.04.2012
[ AUTOHR ...... ][ http:/.blogspot.com
[ SOFT LINK ... ][ http://www.vbulletin.com
[ VERSION ..... ][ 4.1.12
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it!

[--------------------------------------------[
[ 2. What is the type of vulnerability?
Reflected cross-site scripting.

(* ..., because I think this could be extended to attack
with 'non-visible button'. )

[--------------------------------------------[
[ 3. Where is bug

When You are logged-in as a normal user, You can add post to forum.
You can add title (parameter "subject") of Your post only with 85 characters.
And that's the trick, because error displayed to user (if 'subject' is > 85 chars)
can contain XSS code.

Try to add Ax85+"><xss><

vBulletin 4.1.12 - Cross Site Scripting

  • Uploaded by: MIN Software
  • Views:
  • Category: ,
    • Share

    0 comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)

     

    Our Team Members

    Copyright © hacker va bao mat | Designed by Templateism.com | WPResearcher.com