FlatNuke News Submission Body XSS

2005-08-04T05:19:28
ID OSVDB:18553
Type osvdb
Reporter rgod(retrogod@aliceposta.it)
Modified 2005-08-04T05:19:28

Description

Vulnerability Description

FlatNuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the content of news items upon submission to a moderator. This could allow a user to create a specially crafted new item that would execute arbitrary code in a moderator's browser within the trust relationship between the browser and the server, possibly allowing an attacker to steal authentication cookies or other information of a privileged account, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

FlatNuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the content of news items upon submission to a moderator. This could allow a user to create a specially crafted new item that would execute arbitrary code in a moderator's browser within the trust relationship between the browser and the server, possibly allowing an attacker to steal authentication cookies or other information of a privileged account, leading to a loss of integrity.

References:

Vendor URL: http://flatnuke.sourceforge.net/ Secunia Advisory ID:16330 Related OSVDB ID: 18554 Related OSVDB ID: 18551 Related OSVDB ID: 18549 Related OSVDB ID: 18550 Related OSVDB ID: 18552 Other Advisory URL: http://rgod.altervista.org/flatnuke.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-08/0082.html ISS X-Force ID: 21708 CVE-2005-2539 Bugtraq ID: 14483