# Exploit Title: vBulletin 4.1.10 - 4.1.11 Cross Site Scripting # Date: 25.03.2012 # Author: Sony and Flexxpoint # Software Link: https://www.vbulletin.com/ # Web Browser : Mozilla Firefox # Blog Flexxpoint: http://flexxpoint.blogspot.com/ # Blog Sony: http://st2tea.blogspot.com # Site : http://insecurity.ro .................................................................. Well, we have an interesting xss in vBulletin 4.1.10 - 4.1.11 (maybe other version) We have xss in a lot of places. https://www.vbulletin.com/forum/blog.php https://www.vbulletin.com/forum/ https://www.vbulletin.com/forum/group.php etc.. Simple Example: https://www.vbulletin.com/forum/group.php http://2.bp.blogspot.com/-BGr5Gpx3hcU/T25sVUwAXOI/AAAAAAAAA1k/ZMIHWQ33RJM/s1600/demo.JPG Click on URL and put our xss code in the URL: http://2.bp.blogspot.com/-u4MX7TvWS0I/T25tETfkJCI/AAAAAAAAA1w/eCYX2ANJAC8/s1600/demo2.JPG And press button Ok and button Preview Message. http://4.bp.blogspot.com/-Nu2V0B8a9X8/T25ueP3feZI/AAAAAAAAA18/PzTyykhnRsA/s1600/demo3.JPG We can see xss. It's in all places, where we can use "url". How you can use this? idk.. But i know what you can use.. Create new topic, put our xss in the "url" and click on Promote to Article.. http://2.bp.blogspot.com/-jjoVibvT6Jc/T25w8Y44ihI/AAAAAAAAA2I/49o61qj0-Go/s1600/pr.JPG or Blog this Post.. http://3.bp.blogspot.com/-Z1d0eiIjvAw/T25xa3qvmyI/AAAAAAAAA2U/mzmP5SU3qTA/s1600/blog.JPG It's a hard, but possibly. Simple Video PoC: http://www.youtube.com/watch?v=endyyK1rW4k Or example on http://www.chinclub.ru/forum.php http://www.chinclub.ru/showthread.php?p=257153 (It's topic) You can create other with xss (for example). But we can give other link for users or admin ..(link Blog this Post) http://www.chinclub.ru/blog_post.php?do=newblog&p=257153 And here we can see our persistent xss and..hmm.. We test this on some forums. It's work. Demo vBulletin Forum. Version 4.1.10. https://www.vbulletin.com/admindemo.php PoC original: http://st2tea.blogspot.com/2012/03/vbulletin-4110-4111-cross-site.html