Update vbulletin-replacead-rce.yaml #12164
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
|
Hi @Chocapikk Thank you so much for updating the template and contributing to the project. 🍻 You can grab some cool PD stickers over here http://nux.gg/stickers 😄 You can join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again |
ritikchaddha
approved these changes
May 31, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Template / PR Information
Relying on
Content-Type: application/jsonto detect the vulnerability is unreliable, because many vBulletin installations, especially across different 5.x and early 6.x versions return HTML. In some builds the initialajax/api/ad/replaceAdTemplatecall may inject the<vb:if>correctly but won't echo yourvar_dumpresult in its response, so your scanner appears to miss the issue. By following up with a second POST toajax/render/ad_<location>, you force the template to be rendered and can reliably capture thestring(<length>) "<value>"output, regardless of whether the first response looked like JSON or HTML. This approach ensures you don't miss exploitable instances simply because the server hides its output behind an unexpected content type.