Artnana Webboard 1.4 Cross Site Scripting

Type packetstorm
Reporter Jing Wang
Modified 2015-05-08T00:00:00


                                            `*Artnana Webboard version 1.4 XSS (Cross-site Scripting) Web Security  
Exploit Title: Artnana Webboard version 1.4 Multiple XSS Security  
Product: Webboard  
Vendor: Artnana  
Vulnerable Versions: version 1.4  
Tested Version: version 1.4  
Advisory Publication: May 09, 2015  
Latest Update: May 09, 2015  
Vulnerability Type: Cross-Site Scripting [CWE-79]  
CVE Reference: *  
Impact CVSS Severity (version 2.0):  
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)  
Impact Subscore: 2.9  
Exploitability Subscore: 8.6  
Writer and Reporter: Jing Wang [School of Physical and Mathematical  
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]  
*Proposition Details:*  
*(1) Vendor & Product Description:*  
*Product & Vulnerable Versions:*  
version 1.4  
*Vendor URL & Download:*  
Webboard can be obtained from here,  
*Product Introduction Overview:*  
"Webboard is Thailand IT company that provide software service. Webboard  
can make your website easier and convenience. WebBoard is a discussion  
board where you post messages and participate in discussions with the other  
people in the course."  
*(2) Vulnerability Details:*  
Artnana Webboard web application has a computer security bug problem. It  
can be exploited by stored XSS attacks. This may allow a remote attacker to  
create a specially crafted request that would execute arbitrary script code  
in a user's browser session within the trust relationship between their  
browser and the server.  
Several other Artnana products 0-day vulnerabilities have been found by  
some other bug hunter researchers before. Artnana has patched some of them.  
FusionVM Vulnerability Management and Compliance provides sources for the  
latest info-sec news, tools, and advisories. It has published suggestions,  
advisories, solutions details related to XSS vulnerabilities.  
*(2.1) *The first programming code flaw occurs at "&keyword" parameter in  
"search_topic.php?" page.  
*(2.2) *The second programming code flaw occurs at "&keyword" parameter in  
"search_products.php" page.  
Jing Wang,  
Division of Mathematical Sciences (MAS),  
School of Physical and Mathematical Sciences (SPMS),  
Nanyang Technological University (NTU),