SECURITY.NNOV: more Ikonboard 3.1.1 crossite scriptings

From: 3APA3A (3APA3A@SECURITY.NNOV.RU)
Date: 12/09/02

  • Next message: Tamer Sahin: "[SecurityOffice] Enceladus Server Suite v3.9 Buffer Overflow Vulnerability"
    Date: Mon, 9 Dec 2002 16:49:43 +0300
    From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
    To: bugtraq <bugtraq@SECURITY.NNOV.RU>, bugtraq@securityfocus.com
    
    

    Ikonboard 3.1.1

      There are few ways to insert HTML tags into board content.

      1. Via Photo URL.

      In profile user can set URL of photo. It's possible to insert URL like

      javascript:alert(document.cookie)

      Javascript will be triggered if someone accesses user's profile.

      2. Via X-Forwarded-For: header.

      User's IPs are available for admin. If user accesses Ikonboard via
      Proxy, X-Forwarded-For: header is shown instead of proxy IP without
      filtering. Length is limited to 16 characters, but it's still possible
      do something interesting with 2 requests <script>/* and */<script>.

    Vendor was contacted November, 29 with no reply.
      

    -- 
    http://www.security.nnov.ru
             /\_/\
            { , . }     |\
    +--oQQo->{ ^ }<-----+ \
    |  ZARAZA  U  3APA3A   }
    +-------------o66o--+ /
                        |/
    You know my name - look up my number (The Beatles)