Home page logo

bugtraq logo Bugtraq mailing list archives

Thread-IT Message Board XSS Vulnerability
From: Bahaa Naamneh <b_naamneh () hotmail com>
Date: 24 Sep 2003 20:45:29 -0000

Thread-IT Message Board XSS Vulnerability

Published: 24 September 2003

Released: 24 September 2003

Affected Systems: Thread-IT Message Board

Vendor: http://www.ymonda.co.uk

Issue: Remote attackers can inject XSS script. 


"Thread-IT is a simple message board product that uses classic ASP scripts and an Access database. Installation of this 
product is simple even for people that have no ASP scripting experience."

It's possibile to inject XSS script in the Topic Title, Name and Message fields. 


">&lt;script&gt; this code will hide every thing after it including the the board topics if any attacker write it in 
the topic title.

&lt;script&gt;windows.open("URL");&lt;/script&gt; this code will open a new window when the board loaded.


The vendor has been contacted and a patch is not yet produced.


Filter all variables. 

Discovered by / credit:

Bahaa Naamneh
b_naamneh () hotmail com

  By Date           By Thread  

Current thread:
  • Thread-IT Message Board XSS Vulnerability Bahaa Naamneh (Sep 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]