OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: MegaHz (megahzmegahz.org)
Date: Thu Jun 06 2002 - 08:01:29 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Vulnerable systems:
     * Splatt Forum 3.0

    Immune systems:
     * Splatt Forum 3.1

    Splatt forum uses a user provided string (through the [IMG] tag) in
    the following HTML tag:
    <img src="$user_provided" border="0" />

    While there is a check to force the string to begin with "http://" it
    doesn't disallow the symbol: ". This means that a malicious user can
    escape the src="" in the HTML tag and insert his own HTML code. This
    same problem also exists in the remote avatar part of the user
    profile.

    Example:
    Enter the following anywhere in a message:
    [img]http://a.a/a"onerror="javascript:alert(document.cookie)[/img]

    After that, anyone reading the message should see a popup with his
    cookie.

    Severity:
    Malicious users can steal other users' and the administrator's
    cookies. This would allow the attacker to impersonate other users on
    the board and access to the administration panel.

    Solution:
    Upgrade to the latest version of Splatt (version 3.1).
    Download splatt from: www.splatt.it

    p.s. LIKE the recent PHPBB2 bug, (I just copy and paste from
    securiteam's phpbb advisory)

    /*
     * Andreas Constantinides (MegaHz)
     * www.cyhackportal.com
     * www.megahz.org
     *
    /*

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

    iQA/AwUBPP9dJkJeOgJQULK7EQKFAACfYC3RGv+o4nDYO+fUtqkljjD51MUAnAhE
    XCAhzIEN5B9zN14s54P19N49
    =ERD/
    -----END PGP SIGNATURE-----