-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Vulnerable systems: * Splatt Forum 3.0
Immune systems: * Splatt Forum 3.1
Splatt forum uses a user provided string (through the [IMG] tag) in the following HTML tag: <img src="$user_provided" border="0" />
While there is a check to force the string to begin with "http://" it doesn't disallow the symbol: ". This means that a malicious user can escape the src="" in the HTML tag and insert his own HTML code. This same problem also exists in the remote avatar part of the user profile.
After that, anyone reading the message should see a popup with his cookie.
Severity: Malicious users can steal other users' and the administrator's cookies. This would allow the attacker to impersonate other users on the board and access to the administration panel.
Solution: Upgrade to the latest version of Splatt (version 3.1). Download splatt from: www.splatt.it
p.s. LIKE the recent PHPBB2 bug, (I just copy and paste from securiteam's phpbb advisory)
/ * Andreas Constantinides (MegaHz) * www.cyhackportal.com * www.megahz.org * /
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPP9dJkJeOgJQULK7EQKFAACfYC3RGv+o4nDYO+fUtqkljjD51MUAnAhE XCAhzIEN5B9zN14s54P19N49 =ERD/ -----END PGP SIGNATURE-----