Full Disclosure mailing list archives
Invision Iframe Bug
From: "Woody" <woody () woodys-software com>
Date: Thu, 24 Mar 2005 13:48:14 +0100 (CET)
Hi, I've found a bug in Invision Board, it let's you send private messages around, change people their signature, avatar, etc. If the administrator doesn't filter all the html tags on a forum (or just forgets, which is often the case) you can add an invisible iframe to your post. Now if you just figure out how invision board sends for example a private message, you can let people send one to someone. Example: <iframe id="frame1" name="frame1" frameborder=0 width=0 height=0 src="http://www.website.com/forums/index.php?act=Msg&CODE=04&MODE=1&entered_name=Woody&msg_title=hi&Post=I%20love%20you!"> </iframe> Every person who would view the post would send Woody a private message (message: I love you, subject: hi). They wouldn't know it happened because the iframe is invisible. You just have to figure out how IB works. This bug CAN NOT change passwords, email addresses or let an administrator do stuff. It's pretty harmless really. I guess all versions are "affected" because it just depends on the administrator of the forum. Woody woodys-software.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Invision Iframe Bug Woody (Mar 24)
- Re: Invision Iframe Bug Paul Laudanski (Mar 24)