Home / os / win7

vBulletin 4.0.0-4.0.2 YaAS (yet another award system) XSS Vu

Posted on 13 May 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>vBulletin 4.0.0-4.0.2 YaAS (yet another award system) XSS Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=======================================================================
vBulletin 4.0.0-4.0.2 YaAS (yet another award system) XSS Vulnerability
=======================================================================

# Exploit Title: vBulletin 4.0.0-4.0.2 YaAS 4.0.0 (yet another award system) XSS

# Date: 2010-05-13

# Author: Un-Dead

# Team: eX.ploit ( http://ex.ploit.net )

# Software Link: http://www.vbulletin.org/forum/showthread.php?t=232684&amp;highlight=yet+another+award+system

# Google Dork: inurl: recommend_award.php?award_id=1

# Version: vBulletin 4.0.0 thru 4.0.2 using YaAS v4.0.0 (This has now been updated too 4.0.1 and does not work on the updated version)

# Tested on: Windows XP SP3, KDE3.5 vBulletin with HTML turned off

# Usage: XSS

# Code:

 

This will only work if the administrator has opted to set the “recommend this award” to create a new poll somewhere in the forum (admin area is even better for cookie stealing J)

 

Again this will not work on the latest update of YaAS but it will work on YaAS 4.0.0

 

Click awards tab, chose recommend this award. In the member name just type something doesent really matter.

In the body put your xss

&lt;script&gt;alert('xss');&lt;/script&gt;

 

The infected page will be the poll that was created.

 

If the admin does not have the “create new poll” enabled this eX.ploit is useless.


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-13]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :