|
Full Disclosure
mailing list archives
vBulletin and MyBB Vulnerability
From: kaveh ghaemmaghami <kavehghaemmaghami () googlemail com>
Date: Thu, 30 Aug 2012 03:25:40 -0700
How I hijacked users, username and password with posting an image link
in vBulletin and MyBB
Vulnerability details:
I have posted an image link from my web site the image link that I
have posted is protected by basic authentication. I am authenticated
to the protected image folder that I am going to post which means I
can post the link and it will load from forum to me because I am
Authenticated to the protected file but others not. This is the point,
when a vBulletin based forum trying to load my posted image to users
who trying to read my post a logging massage box going to prompt and
requiring them for logging again with their username and password and
when they fill up prompted massage box with their username and
password I was able to hijack their username and password.
check out attached image
cheers
coolkaveh
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- vBulletin and MyBB Vulnerability kaveh ghaemmaghami (Aug 30)
| 
