slickMsg 0.7-alpha BBCode CSS Cross Site Scripting

2010.12.16

Credit: Aliaksandr Hartsuyeu

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

www.eVuln.com advisory:
BBCode CSS XSS in slickMsg
Summary: http://evuln.com/vulns/162/summary.html
Details: http://evuln.com/vulns/162/description.html
-----------Summary-----------
eVuln ID: EV0162
Software: slickMsg
Vendor: n/a
Version: 0.7-alpha
Critical Level: low
Type: Cross Site Scripting
Status: Unpatched. No reply from developer(s)
PoC: Available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )
--------Description--------
It is possible to inject XSS code (expression) into CSS style of size and color bbcodes.
"size" and "color" values are not properly sanitized before being used in CSS code.
Note: works in MS IE
--------PoC/Exploit--------
CSS XSS in BBcodes examples
XSS example 1: [size=expression(alert(123))]size[/size]
XSS example 2: [color=expression(alert(456))]blue[/color]
---------Solution----------
Not available
----------Credit-----------
Vulnerability discovered by Aliaksandr Hartsuyeu
http://evuln.com/xss/bbcode.html - recent bbcode xss advisories

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

slickMsg 0.7-alpha BBCode CSS Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.