RE: CSS in ikonboard 3.0.1,3.0.2,3.0.3
From: Michael Ginese (MGinese@uamail.albany.edu)Date: 03/21/02
- Previous message: sesser@php.net: "Re: move_uploaded_file breaks safe_mode restrictions in PHP"
- Maybe in reply to: Max Speed: "CSS in ikonboard 3.0.1,3.0.2,3.0.3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Michael Ginese <MGinese@uamail.albany.edu> To: 'Max Speed' <maxspeed017@hotmail.com>, bugtraq@securityfocus.com Date: Thu, 21 Mar 2002 11:35:52 -0500
If you have
Allow dynamic pages in IMG tags? set to "no"
under "Board Options" --> "Basic Security Settings"
is this still a threat?
Mike
-----Original Message-----
From: Max Speed [mailto:maxspeed017@hotmail.com]
Sent: Wednesday, March 20, 2002 12:14 AM
To: bugtraq@securityfocus.com
Subject: CSS in ikonboard 3.0.1,3.0.2,3.0.3
author: Maxspeed
vendor statues: they have been informed
Vulnerable versions: ikonboard 3.0.1
ikonboard 3.0.2
ikonboard 3.0.3(the version they
use on their site)
Severity: Malicious users can steal session cookies,
allowing administrative access to the admin panel
Problem:
Ok the problem is in the way the [img] tags check for
the "http://". The [img] tags checks for the "http://"
when you posting a new topic but it doesnt check for
it while your editing one. So it will allow you to insert
malacious code while you editing a post.
Proof of concept:
Make a new post, then "EDIT" the post and in the
body of the post insert this code
[IMG]javascript:alert(document.cookie)[/IMG]
an alert box should pop up displaying your cookies!
Fix:
make [IMG] tags check for "http://" when editing a
post.
- Previous message: sesser@php.net: "Re: move_uploaded_file breaks safe_mode restrictions in PHP"
- Maybe in reply to: Max Speed: "CSS in ikonboard 3.0.1,3.0.2,3.0.3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
