HydroBB register.php s Variable XSS

2005-11-22T00:00:00
ID OSVDB:21297
Type osvdb
Reporter r0t(krustevs@googlemail.com)
Modified 2005-11-22T00:00:00

Description

Vulnerability Description

HydroBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 's' variable upon submission to the register.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

HydroBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 's' variable upon submission to the register.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

/forums/register.php?s=\[XSS]

References:

Vendor URL: http://www.hydrobb.com/ Related OSVDB ID: 21295 Related OSVDB ID: 21298 Related OSVDB ID: 21299 Related OSVDB ID: 21301 Related OSVDB ID: 21294 Related OSVDB ID: 21296 Related OSVDB ID: 21300 Related OSVDB ID: 21293 Other Advisory URL: http://pridels.blogspot.com/2005/11/xss-in-hydrobb.html ISS X-Force ID: 23299 CVE-2005-4642