CSS in ikonboard 3.0.1,3.0.2,3.0.3

From: Max Speed (maxspeed017at_private)
Date: Tue Mar 19 2002 - 21:14:27 PST

Next message: Jedi/Sector One: "Re: move_uploaded_file breaks safe_mode restrictions in PHP"

Previous message: securityat_private: "Security Update: [CSSA-2002-SCO.12] Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited"
Next in thread: Michael Ginese: "RE: CSS in ikonboard 3.0.1,3.0.2,3.0.3"
Reply: Michael Ginese: "RE: CSS in ikonboard 3.0.1,3.0.2,3.0.3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) author: Maxspeed vendor statues: they have been informed Vulnerable versions: ikonboard 3.0.1 ikonboard 3.0.2 ikonboard 3.0.3(the version they use on their site) Severity: Malicious users can steal session cookies, allowing administrative access to the admin panel Problem: Ok the problem is in the way the [img] tags check for the "http://". The [img] tags checks for the "http://" when you posting a new topic but it doesnt check for it while your editing one. So it will allow you to insert malacious code while you editing a post. Proof of concept: Make a new post, then "EDIT" the post and in the body of the post insert this code [IMG]javascript:alert(document.cookie)[/IMG] an alert box should pop up displaying your cookies! Fix: make [IMG] tags check for "http://" when editing a post. Maxspeed017at_private

Next message: Jedi/Sector One: "Re: move_uploaded_file breaks safe_mode restrictions in PHP"
Previous message: securityat_private: "Security Update: [CSSA-2002-SCO.12] Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited"
Next in thread: Michael Ginese: "RE: CSS in ikonboard 3.0.1,3.0.2,3.0.3"
Reply: Michael Ginese: "RE: CSS in ikonboard 3.0.1,3.0.2,3.0.3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 23:31:14 PST