[38115] in bugtraq
Security Advisory: Woltlab Burning Board Lite formmail.php XSS
daemon@ATHENA.MIT.EDU (Martin Heistermann)
Mon Jan 10 11:24:29 2005
Date: 8 Jan 2005 19:29:57 -0000
Message-ID: <20050108192957.25739.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Martin Heistermann <martin.heistermann@web.de>
To: bugtraq@securityfocus.com
Advisory Information
--------------------
Advisory name : Woltlab Burning Board Lite formmail.php XSS
Discovered by : drhankey / it-security23.net
Vendor Name : Woltlab
Vendor Homepage : http://www.woltlab.de
Software : Woltlab Burning Board Lite
Vulnerability Type : Cross-Site-Scripting
Vulnerable Versions : 1.0.0, 1.0.1e, maybe more
Platforms : OS Independent, PHP
What is Woltlab Burning Board Lite?
----------------------------------
Woltlab Burning Board Lite is the free version of the Woltlab Burning Board,
a PHP based bulletin board
Vulnerability Description:
-------------------------
formmail.php outputs the "userid"-parameter unfiltered, so its possible to add arbitary Code to the output by using a malformed link.
The Board also allows logging in with stolen cookies.
Proof of Concept:
-----------------
http://website/board/formmail.php?userid=1"><script>document.location.href="http://www.it-security23.net";</script x="y
