OpenBB board.php FID Parameter XSS

2003-12-28T07:40:55
ID OSVDB:3220
Type osvdb
Reporter OSVDB
Modified 2003-12-28T07:40:55

Description

Vulnerability Description

OpenBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "FID" variable upon submission to the "board.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

OpenBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "FID" variable upon submission to the "board.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[victim]/board.php?FID=<script>alert(document.cookie)</script>

References:

Vendor URL: http://www.openbb.com/ Secunia Advisory ID:10498 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-04/0555.html ISS X-Force ID: 14115 Bugtraq ID: 9303