Cross site scripting in Onecenter forum 4.0

• Previous message: Wolter Kamphuis: "Re: Unauthorized reading files on phpSysInfo"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 24 Apr 2003 23:01:17 -0300 (ART)
To: <bugtraq@securityfocus.com>

Issue : cross site scripting in Onecenter forum

Affected Product : Onecenter forum 4.0

Description :

Onecenter offers a free discussion forum hosted in the company's servers (
forum.onecenter.com ) . Any user in the forum is identified by a cookie
that contains nick , name , mail address and password . This information
can be easily obtained as you can add in your posts the img html tag with
a custom script as follows
<img src=javascript:alert(document.cookie);>

To impersonate any user in the forum ( onecenter administrators would be a
good choice ) you just have to build a cookie like the one obtained and
visit the forum .

-- 
Regards ,
David F. Madrid
Madrid , Spain

• Previous message: Wolter Kamphuis: "Re: Unauthorized reading files on phpSysInfo"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-Disclosure] Cross site scripting in Onecenter Forum 4.0 ... cross site scripting in Onecenter forum ... Madrid, Spain ... (Full-Disclosure) fuzzylime (forum) XSS ... Application: fuzzylime Forum ... Bug: Cross site Scripting (XSS) ... Fix Available: Yes ... (Bugtraq) wbboard 1.1.1 Cross Site Scripting Vulnerability ... wbboard 1.1.1 Cross Site Scripting Vulnerability ... wbboard 1.1.1 is a phpBB-like PHP forum ... User clicked on this link force posted your message in forum:) ... (Bugtraq) Cireos Portal Cross Site Scripting ... Attack method: Cross Site Scripting ... cireos is a powerfull Portal and featuring a forum ... (Bugtraq)