|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Advisory: Woltlab Burning Board Lite formmail.php XSS
From: Martin Heistermann (martin.heistermann
web.de)
Date: Sat Jan 08 2005 - 13:29:57 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Advisory Information
--------------------
Advisory name : Woltlab Burning Board Lite formmail.php XSS
Discovered by : drhankey / it-security23.net
Vendor Name : Woltlab
Vendor Homepage : http://www.woltlab.de
Software : Woltlab Burning Board Lite
Vulnerability Type : Cross-Site-Scripting
Vulnerable Versions : 1.0.0, 1.0.1e, maybe more
Platforms : OS Independent, PHP
What is Woltlab Burning Board Lite?
----------------------------------
Woltlab Burning Board Lite is the free version of the Woltlab Burning Board,
a PHP based bulletin board
Vulnerability Description:
-------------------------
formmail.php outputs the "userid"-parameter unfiltered, so its possible to add arbitary Code to the output by using a malformed link.
The Board also allows logging in with stolen cookies.
Proof of Concept:
-----------------
http://website/board/formmail.php?userid=1"><script>document.location.href="http://www.it-security23.net";</script x="y
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]