Splatt Forum XSS

["MegaHz" <megahz () megahz org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerable systems:
 * Splatt Forum 3.0

Immune systems:
 * Splatt Forum 3.1

Splatt forum uses a user provided string (through the [IMG] tag) in
the following HTML tag: 
<img src="$user_provided" border="0" />

While there is a check to force the string to begin with "http://"; it
doesn't disallow the symbol: ". This means that a malicious user can
escape the src="" in the HTML tag and insert his own HTML code. This
same problem also exists in the remote avatar part of the user
profile. 

Example:
Enter the following anywhere in a message: 
[img]http://a.a/a"onerror="javascript:alert(document.cookie)[/img] 

After that, anyone reading the message should see a popup with his
cookie.

Severity:
Malicious users can steal other users' and the administrator's
cookies. This would allow the attacker to impersonate other users on
the board and access to the administration panel. 

Solution:
Upgrade to the latest version of Splatt (version 3.1).
Download splatt from: www.splatt.it


p.s. LIKE the recent PHPBB2 bug, (I just copy and paste from
securiteam's phpbb advisory)



/*
 * Andreas Constantinides (MegaHz)
 * www.cyhackportal.com
 * www.megahz.org
 *
/*

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPP9dJkJeOgJQULK7EQKFAACfYC3RGv+o4nDYO+fUtqkljjD51MUAnAhE
XCAhzIEN5B9zN14s54P19N49
=ERD/
-----END PGP SIGNATURE-----