[24395] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

XMB cross-scripting vulnerability

daemon@ATHENA.MIT.EDU (skizzik@imail.ru)
Sat Feb 23 10:48:33 2002

Content-Type: text/plain; charset="koi8-r"
Content-Disposition: inline
Content-Transfer-Encoding: 7BIT
MIME-Version: 1.0
Message-Id: <.iD6VJLPQh16WL2@aport2000.ru>
From: skizzik@imail.ru
Date: Fri, 22 Feb 2002 17:00:58 +0300
To: bugtraq@securityfocus.com

   XMB is a php-based forum. This product contain a 
Cross Site Scripting vulnerability that allows 
attackers to insert JavaScript code (and other HTML 
code) into existing messages, bypassing the internal 
JavaScript/HTML code stripper.

   Exploit:
   [img]javasCript:alert('Hello world.')[/img]

   Vulnerable systems:
   All versions of XMB board, including  last version -
   XMB 1.6x Magic Lantern

   Immune systems:
   None

   Possible solution:
   Searching the image URL for the text "javascript:" 
should solve the problem

                                      SliderGod.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[24395] in bugtraq

XMB cross-scripting vulnerability

daemon@ATHENA.MIT.EDU (skizzik@imail.ru)Sat Feb 23 10:48:33 2002

daemon@ATHENA.MIT.EDU (skizzik@imail.ru)
Sat Feb 23 10:48:33 2002