WWWThreads Cross Site Scripting

2010-12-07T00:00:00
ID PACKETSTORM:96464
Type packetstorm
Reporter Aliaksandr Hartsuyeu
Modified 2010-12-07T00:00:00

Description

                                        
                                            `www.eVuln.com advisory:  
XSS vulnerability in WWWThreads (php version)  
Summary: http://evuln.com/vulns/155/summary.html   
Details: http://evuln.com/vulns/155/description.html   
  
-----------Summary-----------  
eVuln ID: EV0155  
Software: n/a  
Vendor: WWWThreads  
Version: 2006.11.25  
Critical Level: low  
Type: Cross Site Scripting  
Status: Unpatched. No reply from developer(s)  
PoC: Not available  
Solution: Not available  
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )  
--------Description--------  
It is possible to inject xss code into "act" parameter in "play.php" script.  
Parameter "act" is used without proper sanitation  
--------PoC/Exploit--------  
Non-persistent XSS Example.  
  
XSS example: http://website/forum/play.php?act=<XSS>  
---------Solution----------  
Not available  
----------Credit-----------  
Vulnerability discovered by Aliaksandr Hartsuyeu  
http://evuln.com/xss/ - recent xss vulns  
`