WowBB index.php show Variable XSS

2004-10-01T10:38:19
ID OSVDB:19192
Type osvdb
Reporter Positive Technologies(pt@ptsecurity.ru)
Modified 2004-10-01T10:38:19

Description

Vulnerability Description

WowBB Web Forum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'show' variable upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

WowBB Web Forum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'show' variable upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

/forum/index.php?show=[XSS CODE HERE]&sort_by=name

References:

Vendor URL: http://www.wowbb.com/ Security Tracker: 1011487 Secunia Advisory ID:12843 Related OSVDB ID: 10772 Related OSVDB ID: 19190 Related OSVDB ID: 10771 Related OSVDB ID: 19191 Related OSVDB ID: 19193 Related OSVDB ID: 19194 Related OSVDB ID: 19195 Other Advisory URL: http://www.ptsecurity.ru/advisory.asp Other Advisory URL: http://www.maxpatrol.com/advdetails.asp?id=7 Generic Informational URL: http://secunia.com/product/4065/ CVE-2004-2180 Bugtraq ID: 11429