![]() It is trivial to write some JS that not onlyĮnables hooks but also inserts a nice RFI hook. Larger, vBulletin has hooks that operate using eval(), and new hooks canīe added via the ACP itself. Just to give ideas on how this could turn into something You have an unlimited and unaltered XSS space, so you're free to invoke someĪJAX and have fun. Now to address the quote "potential for exposure and damage is limited".Ĭlearly Jelsoft have never seen what one can do with an XSS. The data: URI scheme, the XSS survives the login request and activates after If you Base64-encode your attack vector using Work outright if the admin is already logged in if the admin is not, they What is even better is that the exploit will Script takes a redirect parameter that lacks sanitation, allowing a The XSS in questionĮxists on the login page for the ACP (admin control panel). XSS is and how wrong Jelsoft are for assuming that XSS is harmless.įirst, the discussion of exactly what the exploit is. In the above topic they try to pass off the XSS as difficult to exploit, VBulletin released PL1 for their 3.7.1 and 3.6.10 versions of vBulletin: ![]() Version : vBulletin 3.7.1 and lower, vBulletin 3.6.10 and lowerĪuthors : Jessica Hope (jessicasaulhope () googlemail com)ĭue to various failures in sanitising user input, it is possible toĬonstruct XSS attacks that are rather damaging. By Thread Exploit for vBulletin "obscure" XSS (3.7.1 &ē.6.10)Īdvisory : Exploit for vBulletin "obscure" XSS
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |