Ultimate PHP Board (UPB) viewtopic.php Multiple Variable XSS

2005-06-16T08:07:15
ID OSVDB:17366
Type osvdb
Reporter Alberto Trivero(trivero@jumpy.it)
Modified 2005-06-16T08:07:15

Description

Vulnerability Description

Ultimate PHP Board (UPB) contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'id' and 'page' variables upon submission to the 'viewtopic.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Tim Hoeppner has released a patch to address this vulnerability.

Short Description

Ultimate PHP Board (UPB) contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'id' and 'page' variables upon submission to the 'viewtopic.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[target]/upb/viewtopic.php?id=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://[target]/upb/viewtopic.php?id=1&t_id=1&page=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

References:

Vendor URL: http://www.myupb.com/ourscripts_upb.php Vendor Specific Solution URL: http://www.myupb.com/forum/viewtopic.php?id=26&t_id=118 Security Tracker: 1014220 Secunia Advisory ID:15732 Related OSVDB ID: 17364 Related OSVDB ID: 17369 Related OSVDB ID: 17372 Related OSVDB ID: 17362 Related OSVDB ID: 17365 Related OSVDB ID: 17368 Related OSVDB ID: 17373 Related OSVDB ID: 17374 Related OSVDB ID: 17371 Related OSVDB ID: 17363 Related OSVDB ID: 17367 Related OSVDB ID: 17370 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0137.html CVE-2005-2004