# Exploit Title:  vBulletin 4.1.10 - 4.1.11 Cross Site Scripting
# Date: 25.03.2012
# Author: Sony and Flexxpoint
# Software Link: https://www.vbulletin.com/
# Web Browser : Mozilla Firefox
# Blog Flexxpoint: http://flexxpoint.blogspot.com/
# Blog Sony: http://st2tea.blogspot.com
# Site : http://insecurity.ro
..................................................................

Well, we have an interesting xss in vBulletin 4.1.10 - 4.1.11 (maybe other
version)

We have xss in a lot of places.

https://www.vbulletin.com/forum/blog.php
https://www.vbulletin.com/forum/
https://www.vbulletin.com/forum/group.php
etc..


Simple Example:

https://www.vbulletin.com/forum/group.php

http://2.bp.blogspot.com/-BGr5Gpx3hcU/T25sVUwAXOI/AAAAAAAAA1k/ZMIHWQ33RJM/s1600/demo.JPG

Click on URL and put our xss code in the URL:

http://2.bp.blogspot.com/-u4MX7TvWS0I/T25tETfkJCI/AAAAAAAAA1w/eCYX2ANJAC8/s1600/demo2.JPG

And press button Ok and button Preview Message.

http://4.bp.blogspot.com/-Nu2V0B8a9X8/T25ueP3feZI/AAAAAAAAA18/PzTyykhnRsA/s1600/demo3.JPG

We can see xss. It's in all places, where we can use "url".

How you can use this? idk..

But i know what you can use..

Create new topic, put our xss in the "url" and click on Promote to Article..

http://2.bp.blogspot.com/-jjoVibvT6Jc/T25w8Y44ihI/AAAAAAAAA2I/49o61qj0-Go/s1600/pr.JPG

or Blog this Post..

http://3.bp.blogspot.com/-Z1d0eiIjvAw/T25xa3qvmyI/AAAAAAAAA2U/mzmP5SU3qTA/s1600/blog.JPG

It's a hard, but possibly.

Simple Video PoC:

http://www.youtube.com/watch?v=endyyK1rW4k

Or example on http://www.chinclub.ru/forum.php

http://www.chinclub.ru/showthread.php?p=257153

(It's topic) You can create other with xss (for example).

But we can give other link for users or admin ..(link Blog this Post)

http://www.chinclub.ru/blog_post.php?do=newblog&p=257153

And here we can see our persistent xss and..hmm..

We test this on some forums. It's work.

Demo vBulletin Forum. Version 4.1.10.

https://www.vbulletin.com/admindemo.php

PoC original:

http://st2tea.blogspot.com/2012/03/vbulletin-4110-4111-cross-site.html