|
COMMAND Splatt Forum cross site scripting vulnerability SYSTEMS AFFECTED Splatt Forum 3.0 PROBLEM MegaHz [http://www.megahz.org] found following: Splatt forum uses a user provided string (through the [IMG] tag) in the following HTML tag: <img src=\"$user_provided\" border=\"0\" /> While there is a check to force the string to begin with \"http://\" it doesn\'t disallow the symbol: \". This means that a malicious user can escape the src=\"\" in the HTML tag and insert his own HTML code. This same problem also exists in the remote avatar part of the user profile. Example ======= Enter the following anywhere in a message: [img]http://a.a/a\"onerror=\"javascript:alert(document.cookie)[/img] After that, anyone reading the message should see a popup with his cookie. Severity ======== Malicious users can steal other users\' and the administrator\'s cookies. This would allow the attacker to impersonate other users on the board and access to the administration panel. SOLUTION Upgrade to the latest version of Splatt (version 3.1). Download splatt from: http://www.splatt.it