Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: web6015.htm

WWWBoard XSS



24th Feb 2003 [SBWID-6015]
COMMAND

	WWWBoard XSS

SYSTEMS AFFECTED

	WWWBoard 2.0A2.1 and prior

PROBLEM

	In "Grégory"  Le  Bras  [gregory.lebras@security-corp.org]  of  Security
	Corporation, security advisory [SCSA-007] :
	
	 http://www.security-corp.org/index.php?ink=4-15-1
	 http://www.security-corp.org/advisories/SCSA-007-FR.txt
	
	A Cross-Site Scripting vulnerability have been found in  WWWBoard  which
	allow attackers to inject script codes into the forum and  use  them  on
	clients browser as if they were provided by the site.
	
	This Cross-Site Scripting  vulnerability  are  found  in  the  page  for
	posting messages.
	
	An attacker can input specially crafted  links  and/or  other  malicious
	scripts.
	
	
	 EXPLOIT
	 ________________________________________________________________________
	
	A vulnerability was discovered in the  page  for  posting  messages,  at
	this adress :
	
	http://[target]/wwwboard/wwwboard.html#post
	
	
	The  vulnerability  is  at  the  level  of  the  interpretation  of  the
	"Message" field.
	
	Indeed, the insertion of a hostile code script in this  field  makes  it
	possible to a malicious user to carry out this script on  the  navigator
	of the visitors.
	
	
	The hostile code could be :
	
	[script]alert("Cookie="+document.cookie)[/script] 
	
	 (open a window with the cookie of the visitor.)
	
	 (replace [] by <>)

SOLUTION

	None yet


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH