[XSS] paBox 2.0

[Rift <Sean () Sage-web com>]

pabox 2.0 no longer includes the Date and Time parameters in the POST data sent with your shout.  The date and time 
parameters in previous versions were vulnerable to a cross site scripting attack.  Now however in version 2.0 if you 
setup paBox to include an icon with your topic... eg:

:winkface: posted By SomePerson on 3/10/05 04:11 PM
<message follows here>


the parameter in the form that lets you select which 'smilie' to use as an icon for your post is prone to a script 
injection attack.  the specific parameter used is:

<INPUT type=radio CHECKED value="wink.gif" name=posticon>

where wink.gif becomse the value of the src attribute of the <img> tag when your post is submitted.  by simply altering 
wink.gif, or adding another instance of this parameter, you can inject your own code into the value of the new 
parameter.  eg:

<INPUT type=radio CHECKED value="&quot;>&lt;script&gt;document.write(document.cookie);&lt;/script&gt;" 
name=posticon>click me

simply check the radio button that reads 'click me' then submit your form as normal, and the code will be injected into 
the shoutbox.  Not everyone running version 2.0 of pabox seems to have this feature enabled, however from a quick 
search id say it's about 70% of the users that do have it enabled.  the official demonstration page for paBox 2.0 can 
be found at the phparena.net website.