ZH2003-14SA (security advisory): aspBoard XSS Vulnerability

Published: 5 august 2003

Released: 5 august 2003

Name: aspBoard

Affected Systems: 1.2

Issue: Remote attackers can inject XSS script

Author: G00db0y (at) zone-h (dot) org [email concealed]

Vendor: http://www.freezingcold.com

Description

***********

Zone-h Security Team has discovered a flaw in

aspBoard 1.2 (and older versions?). aspBoard is a

"Message Board Component for ASP Internet Applications".

Details

*******

The posting procedure needs: Your Name, Your Email, Your

URL, a subject and your message. It's possible to inject

XSS script in the url variable.

For example try this:

Your Name: John Doe

Your Email: johndoe (at) johndoe (dot) com [email concealed]

Your URL: <script>alert('Zone-h')</script>

Subject: Hi

Your Message: Zone-h Security Team

Solution:

*********

The vendor has been contacted and a patch is not yet produced

Suggestions:

************

Filter the script

G00db0y - www.zone-h.org admin

Original advisory here: http://www.zone-h.org/en/advisories/read/id=2834/

[ reply ]