[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] BetaBoard Cross Site Scripting vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] BetaBoard Cross Site Scripting vulnerability
From: izi <easy.mask@xxxxxxxxx>
Date: Mon, 17 Apr 2006 00:58:27 +0200

//----- Advisory


Program          : BetaBoard
Homepage         : http://gonzo.uni-weimar.de/~scheffl2/betaboard/
Tested version   : 0.1
Found by         : Simon MOREL <philemon at thehackademy dot net>
This advisory    : Simon MOREL <philemon at thehackademy dot net>
Discovery date   : 2006/04/16



//----- Application description


BetaBoard is a small german forum in which thread list is displayed as
an indented tree.



//----- Description of vulnerability


Malicious JavaScript code can be insert in user's profile.



//----- Proof Of Concept


<script>alert('document.cookie')</script>



//----- Impact


Every user reading evil guy's profile can have his cookie stolen



//----- Credits


Simon MOREL <philemon at thehackademy dot net>
http://www.sysdream.com



//----- Greetings


Celelibi for his English ;>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: RE: [inbox] Re: [Full-disclosure] [funsec] fuzzing mailing list
Next by Date: Re: [Full-disclosure] [funsec] fuzzing mailing list
Previous by thread: Re: [Full-disclosure] Achtung weisseshute!
Next by thread: [Full-disclosure] Attn Xfocus
Index(es):
- Date
- Thread