SECURITY.NNOV: more Ikonboard 3.1.1 crossite scriptings

From: 3APA3A (3APA3Aat_private)
Date: Mon Dec 09 2002 - 05:49:43 PST

Next message: Tamer Sahin: "[SecurityOffice] Enceladus Server Suite v3.9 Buffer Overflow Vulnerability"

Previous message: Dr. Peter Bieringer: "Re: Proxy vulnerability in TrendMicro InterScan-VirusWall V3.6 - and 3.7 Build 1190"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ikonboard 3.1.1

  There are few ways to insert HTML tags into board content.

  1. Via Photo URL.

  In profile user can set URL of photo. It's possible to insert URL like

  javascript:alert(document.cookie)

  Javascript will be triggered if someone accesses user's profile.

  2. Via X-Forwarded-For: header.

  User's  IPs  are  available  for admin. If user accesses Ikonboard via
  Proxy,  X-Forwarded-For:  header  is shown instead of proxy IP without
  filtering. Length is limited to 16 characters, but it's still possible
  do something interesting with 2 requests <script>/* and */<script>.

Vendor was contacted November, 29 with no reply.
  
-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

Next message: Tamer Sahin: "[SecurityOffice] Enceladus Server Suite v3.9 Buffer Overflow Vulnerability"
Previous message: Dr. Peter Bieringer: "Re: Proxy vulnerability in TrendMicro InterScan-VirusWall V3.6 - and 3.7 Build 1190"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 09 2002 - 08:45:24 PST