UBB.threads login.php Cat Variable XSS

2004-12-13T10:34:35
ID OSVDB:12366
Type osvdb
Reporter gp(girl@catholic.org)
Modified 2004-12-13T10:34:35

Description

Vulnerability Description

UBB.threads contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'Cat' variables upon submission to the 'login.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Ythan has released an unofficial patch to address this vulnerability:

In the file ubbt.inc.php find the following:

// ######################################################################## // MAILER CLASS // Define class for sending email // ########################################################################

Directly above this, add:

@explode_data(); $Cat = get_input("Cat","get"); if (preg_match("/[^\d,]/", $Cat)){ $timea = getmicrotime(); $html = new html; $html -> not_right("The script has received a malformed URL."); }

Short Description

UBB.threads contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'Cat' variables upon submission to the 'login.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[victim]/login.php?Cat=[XSS]

References:

Vendor URL: http://www.ubbcentral.com/ Vendor URL: http://www.infopop.com/ Security Tracker: 1012503 Secunia Advisory ID:13452 Related OSVDB ID: 12365 Related OSVDB ID: 12364 Related OSVDB ID: 12367 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0239.html Bugtraq ID: 11900