Unclassified NewsBoard Description Field XSS

2005-09-07T10:50:50
ID OSVDB:19239
Type osvdb
Reporter rgod(retrogod@aliceposta.it)
Modified 2005-09-07T10:50:50

Description

Vulnerability Description

Unclassified NewsBoard contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "Description" variable when posting a message. This could allow a user to inject arbitrary HTML and script code that would execute in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to version 1.5.3-a or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Unclassified NewsBoard contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "Description" variable when posting a message. This could allow a user to inject arbitrary HTML and script code that would execute in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

post new message and paste into description field: </div><script>alert(document.cookie)</script>

References:

Vendor URL: http://newsboard.unclassified.de/ Secunia Advisory ID:16726 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0051.html ISS X-Force ID: 22172 CVE-2005-2855 Bugtraq ID: 14748