|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 114
Members: 0
Total: 114
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
vB 3.6.8 questions |
|
Posted: Wed Sep 08, 2010 6:44 pm |
|
|
gone |
Regular user |
|
|
Joined: Sep 08, 2010 |
Posts: 5 |
|
|
|
|
|
|
|
on the net it says there is some kinda cross site scripting holes. I checked every place I could think of to add HTML code and simple scripts.
the script tags are turned into a string and are red. All HTML characters
become special characters so HTML is turned off so there is no hole in this site I was messing with.
Is there a work around besides the admin hack I read so much about. |
|
|
|
|
|
|
|
|
Posted: Thu Sep 09, 2010 11:40 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
I have seen similar exploits, but they are hard to exploit and chance of success is slim.
If target forum is located on shared webserver, then enumerate neighbor websites.
If you can find neighbor website with exploitable vulnerability,
then there is chance to use it against main website (if webserver is configured not very securely).
And look for third-party add-ons -> vbseo, etc.
Such third-party software components are usually less secure than VBulletin itself |
|
|
|
|
Posted: Tue Sep 14, 2010 7:19 pm |
|
|
gone |
Regular user |
|
|
Joined: Sep 08, 2010 |
Posts: 5 |
|
|
|
|
|
|
|
the server has gone down a few times but I'm not sure what other sites they host.
what do you mean by add-ons, the only thing I know of are Google adds. this is a very basic VB forum.
plus the admin hack may not work on an admin who changed his permission level to a Gmod. |
|
|
|
|
Posted: Tue Sep 14, 2010 9:23 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
Posted: Wed Sep 15, 2010 7:01 pm |
|
|
gone |
Regular user |
|
|
Joined: Sep 08, 2010 |
Posts: 5 |
|
|
|
|
|
|
|
there is only one site on that server but there are some nearby Ip addresses
ultimatetoronto.com, mysticlovenetwork.sslpowered.com, womackconstruction.net ...
pseudo-flaw.net, libertycentersf.org, maxb.net ...
us-creations.com, indianovo.com, aakritisolutions.com ...
the admin hack will work now. if I take some cookies, can I use the cookies any time or do I have to use them now? |
|
|
|
|
Posted: Thu Sep 16, 2010 11:16 pm |
|
|
gone |
Regular user |
|
|
Joined: Sep 08, 2010 |
Posts: 5 |
|
|
|
|
|
|
|
I have everything set up but I want to test this on a vb forum. I can't find a free one to test on. are there free Vb sites, I haven't found any. |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|