Splatt Forum XSS

2002-06-06T00:00:00
ID SECURITYVULNS:DOC:3045
Type securityvulns
Reporter Securityvulns
Modified 2002-06-06T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Vulnerable systems: * Splatt Forum 3.0

Immune systems: * Splatt Forum 3.1

Splatt forum uses a user provided string (through the [IMG] tag) in the following HTML tag: <img src="$user_provided" border="0" />

While there is a check to force the string to begin with "http://" it doesn't disallow the symbol: ". This means that a malicious user can escape the src="" in the HTML tag and insert his own HTML code. This same problem also exists in the remote avatar part of the user profile.

Example: Enter the following anywhere in a message: [img]http://a.a/a"onerror="javascript:alert(document.cookie)[/img]

After that, anyone reading the message should see a popup with his cookie.

Severity: Malicious users can steal other users' and the administrator's cookies. This would allow the attacker to impersonate other users on the board and access to the administration panel.

Solution: Upgrade to the latest version of Splatt (version 3.1). Download splatt from: www.splatt.it

p.s. LIKE the recent PHPBB2 bug, (I just copy and paste from securiteam's phpbb advisory)

/ * Andreas Constantinides (MegaHz) * www.cyhackportal.com * www.megahz.org * /

-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPP9dJkJeOgJQULK7EQKFAACfYC3RGv+o4nDYO+fUtqkljjD51MUAnAhE XCAhzIEN5B9zN14s54P19N49 =ERD/ -----END PGP SIGNATURE-----