OpenBB 1.0 .0 RC3 BBCode Cross Agent HTML Injection Vulnerability

ID SSV:75300
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00


No description provided by source.


OpenBB is web forum software written in PHP. It will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems.

OpenBB is reportedly vulnerable to HTML injection attacks. The vulnerability occurs when HTML code is replaced with BBCodes.

OpenBB uses 'BBCodes' in the place of HTML code to include images, links etc. However, HTML tags are not adequately replaced from with BBCodes. It is possible to inject arbitrary HTML code into forum messages. As a result, OpenBB is prone to cross-agent scripting attacks. Script code will be executed in the browser of the user viewing the forum message and may allow an attacker to steal cookie-based authentication credentials. 

[ img]http:// " onerror="ANYSCRIPT"[/img ]