Invision Power Board < =3.4.1 persistent XSS (BBCode)

2013.03.04
Credit: Infern0_
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Author: Infern0_ # Contact: balut2@o2.pl # Vendor: http://www.invisionpower.com # Vulnerability: Persistent XSS # Vendor informated at: 6 February 2013 # Solution: Disable possibility to use HTML in posts - in administrator panel. Default disabled in v.3.4.2 of IP.B, and code in quote tag is sanitized. IP.B v3.4.1 is already a stable version of this software. To reproduce this issue follow this steps(Sometimes you won't have to be logged in. It depend on forum preferences, because someone accept to write post for quests): 1.Go to some topic to add a post. 2. Click in BBCode icon to turn it on(enable that) and write this: [quote name="<script>alert(document.cookie)</script>"] Doesn't matter what here, for best something conrete to deceive another users [quote] 3. Accept this post to send, and voila - here it is. Our persistent XSS. As you can see vulnerable is variable 'name' in quote tag. You can enter there whatever you want to.

References:

http://www.invisionpower.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top