Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: web5441.htm

Splatt Forum cross site scripting vulnerability



14th Jun 2002 [SBWID-5441]
COMMAND

	Splatt Forum cross site scripting vulnerability

SYSTEMS AFFECTED

	Splatt Forum 3.0

PROBLEM

	MegaHz [http://www.megahz.org] found following:
	

	

	Splatt forum uses a user provided string (through the [IMG] tag) in  the
	following HTML tag:
	

	<img src=\"$user_provided\" border=\"0\" />

	

	

	While there is a check to force the string to begin with \"http://\"  it
	doesn\'t disallow the symbol: \". This means that a malicious  user  can
	escape the src=\"\" in the HTML tag and insert his own HTML  code.  This
	same problem also exists in the remote avatar part of the user profile.
	

	

	 Example

	 =======

	

	Enter the following anywhere in a message:
	

	[img]http://a.a/a\"onerror=\"javascript:alert(document.cookie)[/img] 

	

	

	After that, anyone reading the message  should  see  a  popup  with  his
	cookie.
	

	

	 Severity

	 ========

	

	Malicious  users  can  steal  other  users\'  and  the  administrator\'s
	cookies. This would allow the attacker to  impersonate  other  users  on
	the board and access to the administration panel.

SOLUTION

	Upgrade to the latest version of Splatt (version 3.1).  Download  splatt
	from:
	

	http://www.splatt.it

	

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH