|
Thursday, 11 May 2006 |
» Summary:
vbulletin is a powerfull Forum System
»Description
An administrator user may upload CSS Code thats obteining a phpshell ,and chose it from the vbulletins style choser. So when he chose it he will see the phpshell.
Here is an example of the css file
http://b3hr0uz.persiangig.com/VbStyleVuln.txt
in this file the xml obtein a phpshell so the user have to upload the xml file and then chose his style and thats it .
Note : dont forget to chose ignore style version ( :P ) and also that youll maybe think about this isnt a bug actualy u can make your access to the server with stealling the administrator password
Discovered By Aria-Security Team (Aura - Outlaw - Rayden)
» Solution
No Solution . ( maybe by password protection from you cpanel)
|
