Home page logo
/

bugtraq logo Bugtraq mailing list archives

XMB 1.8 Partagium cross site scripting vulnerability
From: Marc Ruef <marc.ruef () computec ch>
Date: Thu, 22 May 2003 23:04:22 +0200

Hi!

Lotek, a friend of mine, informed me about a cross site scripting bug[1]
in my XMBforum 1.8.x[2]:

http://www.website.org/xmbforum/member.php?action=viewpro&member=%3Cdiv%3E%3Cfont%20color=%22red%22%3EMarc%3C/font%3E%3Cscript%3Ealert(%22Ruef%22);%3C/script%3E%3C/div%3E

I sent this information at Apr 25 2003 to sales () aventure-media co uk (I
have not found any other contact email on the web page) and suggested a
patch or update. After a week, nothing came back so I decided to send my
advisory to the Super Administrator of their own board. No reply too.

This bug still exists in XMB 1.8 Final Edition SP1, released after the
bugtraq posting "XMB 1.8 Partagium SQL Injection Bug" on Apr 22 2003
5:08PM[2]. It may be possible that other versions of the board (1.11,
1.6, and 1.8 beta) are also vulnerable.

An new updated version of the forum may be available at
http://www.xmbforum.com/download/#partagium - An upgrade, if available,
is recommended.

Bye, Marc

[1] http://www.cgisecurity.com/articles/xss-faq.shtml
[2] http://www.xmbforum.com
[3] http://www.securityfocus.com/archive/1/319411

-- 
Computer, Technik und Security                  http://www.computec.ch/

"Alle Technik ist ein faustischer Pakt mit dem Teufel."
           Neil Postman, US-amerikanischer Soziologe und Medienkritiker


  By Date           By Thread  

Current thread:
  • XMB 1.8 Partagium cross site scripting vulnerability Marc Ruef (May 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault