[24466] in bugtraq
RE: Open Bulletin Board javascript bug.
daemon@ATHENA.MIT.EDU (Nate Pinchot)
Fri Mar 1 01:21:51 2002
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Thu, 28 Feb 2002 09:07:00 -0500
Message-ID: <EAEE14ADB771234B879244F1952F35B7051FDC@ccs-mail.ccservice.cc>
From: "Nate Pinchot" <npinchot@ccservice.cc>
To: <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
> OpenBB is free php-based forum.
>
> Exploit:
> [img]javasCript:alert('Hello world.')[/img]
>
> Vulnerable systems:
> All versions of Open Bulletin Board including v.1.0.0
>
> Immune systems:
> None
>
> Solution:
> All url's in [img] tags should start with "http://"
I had actually informed them about this bug a long time ago and
they informed me they were working on a patch. This was 2 months
ago. Since you posted this to bugtraq they finally released a patch.
The patch can be found here:
http://community.iansoft.net/read.php?TID=5159
For any who care about the technical details of the patch, they did
NOT filter [img] tags so that they start with http:// as suggested. They
filtered javascript: and some other hex codes. Chances are it is still
vulnerable, and I informed them of this, they don't seem to care.
