Thread-IT Message Board XSS Vulnerability
Published: 24 September 2003
Released: 24 September 2003
Affected Systems: Thread-IT Message Board
Issue: Remote attackers can inject XSS script.
"Thread-IT is a simple message board product that uses classic ASP scripts and an Access database. Installation of this product is simple even for people that have no ASP scripting experience."
It's possibile to inject XSS script in the Topic Title, Name and Message fields.
"><script> this code will hide every thing after it including the the board topics if ">any attacker write it in the topic title.
<script>windows.open("URL");</script> this code will open a new window when the board loaded.
The vendor has been contacted and a patch is not yet produced.
Filter all variables.
Bahaa Naamneh firstname.lastname@example.org http://www.bsecurity.tk