ZH2003-15SA (security advisory): IdealBB XSS Vulnerability

From: G00db0y (G00db0y@zone-h.org)
Date: Fri Aug 08 2003 - 05:47:41 PDT

Next message: bugzillaat_private: "[RHSA-2003:255-01] up2date improperly checks GPG signature of packages"

Previous message: Matt Zimmerman: "[SECURITY] [DSA-367-1] New xtokkaetama packages fix buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) ZH2003-15SA (security advisory): IdealBB XSS Vulnerability Published: 7 august 2003 Released: 7 august 2003 Name: IdealBB Affected Systems: 1.4.9 beta Issue: Remote attackers can inject XSS script Author: G00db0y@zone-h.org Vendor: http://www.idealbb.com Description *********** Zone-h Security Team has discovered a flaw in IdealBB 1.4.9 (and older versions?). "The Ideal Bulletin Board (Ideal BB) is a powerful, scalable, and very user friendly bulletin board program that utilitzes SQL server on the backend and ASP and COM on the front end." Details ******* error.asp which is supposed to handle error messages,seems unfiltered agains Cross-Site Scripting. Which is allow any attacked to inject XSS script. Example: http://www.site.com/idealbb/error.asp?e=16&sessionID={xxxxxxxx-xxxx-xxxx- xxxx-xxxxxxxxxxxx}&msg=<script>alert('Zone-h')</script> Solution: ********* The vendor has been contacted and a patch was produced Suggestions: ************ Filter the script G00db0y - www.zone-h.org admin Original advisory here: http://www.zone-h.org/en/advisories/read/id=2838/

Next message: bugzillaat_private: "[RHSA-2003:255-01] up2date improperly checks GPG signature of packages"
Previous message: Matt Zimmerman: "[SECURITY] [DSA-367-1] New xtokkaetama packages fix buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 12:28:20 PDT