[25677] in bugtraq
Splatt Forum XSS
daemon@ATHENA.MIT.EDU (MegaHz)
Thu Jun 6 14:03:49 2002
Message-ID: <002101c20d5a$47b7c9c0$1d0110ac@glory.com>
From: "MegaHz" <megahz@megahz.org>
To: <bugtraq@securityfocus.com>
Cc: <vulnwatch@vulnwatch.org>, <news@securiteam.com>
Date: Thu, 6 Jun 2002 16:01:29 +0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vulnerable systems:
* Splatt Forum 3.0
Immune systems:
* Splatt Forum 3.1
Splatt forum uses a user provided string (through the [IMG] tag) in
the following HTML tag:
<img src="$user_provided" border="0" />
While there is a check to force the string to begin with "http://" it
doesn't disallow the symbol: ". This means that a malicious user can
escape the src="" in the HTML tag and insert his own HTML code. This
same problem also exists in the remote avatar part of the user
profile.
Example:
Enter the following anywhere in a message:
[img]http://a.a/a"onerror="javascript:alert(document.cookie)[/img]
After that, anyone reading the message should see a popup with his
cookie.
Severity:
Malicious users can steal other users' and the administrator's
cookies. This would allow the attacker to impersonate other users on
the board and access to the administration panel.
Solution:
Upgrade to the latest version of Splatt (version 3.1).
Download splatt from: www.splatt.it
p.s. LIKE the recent PHPBB2 bug, (I just copy and paste from
securiteam's phpbb advisory)
/*
* Andreas Constantinides (MegaHz)
* www.cyhackportal.com
* www.megahz.org
*
/*
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPP9dJkJeOgJQULK7EQKFAACfYC3RGv+o4nDYO+fUtqkljjD51MUAnAhE
XCAhzIEN5B9zN14s54P19N49
=ERD/
-----END PGP SIGNATURE-----
