SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Snitz Forums Vendors:   Snitz Communications
Snitz Forums Input Filtering Bug Lets Remote Users Conduct Cross-Site Scripting Attacks Against Snitz Forums Users
SecurityTracker Alert ID:  1003702
SecurityTracker URL:  http://securitytracker.com/id/1003702
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 1 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 3.3.03
Description:   A vulnerability was reported in the Snitz Forums web-based bulletin board software. A remote user can conduct cross-site scripting attacks against Snitz Forums web site users.

A remote user can create and post an HTML-based message that contains malicious javascript so that when another target user views the message, the javascript will be executed by the target user's browser. The code will appear to originate from the web site running Snitz Forums and will run in the security context of that web site. As a result, the javascript code can access the target user's cookies and other information associated with the Snitz Forums site.

The following is a demonstration exploit string:

[img]javasCript:alert('Hello world.')[/img]

Impact:   A remote user may be able to cause arbitrary javascript to execute on another user's browser to steal that user's cookies associated with the web site running Snitz Forums.
Solution:   The vendor has released a fix (3.3.03), available at:

http://forum.snitz.com/specs.asp

Vendor URL:  www.snitz.com/default.asp (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  ASP-based

Message History:   None.


 Source Message Contents

Subject:  Snitz 2000 Code Patch (was RE: Open Bulletin Board javascript bug.)


The fix listed below is functional, but the vendor of this product has
released a
much better version posted at
http://forum.snitz.com/forum/link.asp?TOPIC_ID=23660

Please use the above version, as it uses the replace function properly (I
was in a hurry), takes care of
more characters, and is the vendor approved patch.

I am -=not=- the vendor for this product, I just think it's an excellent
application, and have used it a great deal.
(The fact that it's free is like a total bonus ;) )  The website for this
application can be found at
http://www.snitz.com or http://forum.snitz.com (Forum site) .

I posted the fix because I wanted administrators to be able to resolve this
problem as quickly as possible. :)

Josh





-=-=-=FORWARDED MESSAGE

>'##### Quick Bug fix for Javascript in [img] tags - Joshua Hiller 02.27.02
#####
>                   strUrlText = replace(LCase(strUrlText),"javascript",
"")
>'##### End Quick Bug fix for Javascript in [img] tags - Joshua Hiller
02.27.02 #####
>
>
>
>
>
>                      "Justin"
>                      <jwgolihew@cs.miller        To:
<bugtraq@securityfocus.org>
>                      sville.edu>                 cc:
>                                                  Subject:  RE: Open
Bulletin Board javascript bug.
>                      02/26/02 06:05 PM
>
>
>
>
>
>
>Snitz Forums 2000, another free bulletin board software is also
vulnerable.
>
>-----Original Message-----
>From: godminus [mailto:godminus@owns.com]
>Sent: Tuesday, February 26, 2002 1:24 PM
>To: bugtraq@securityfocus.org
>Subject: Re: Open Bulletin Board javascript bug.
>
>
>>   OpenBB is free php-based forum.
>>
>>   Exploit:
>>   [img]javasCript:alert('Hello world.')[/img]
>>
>>   Vulnerable systems:
>>   All versions of Open Bulletin Board including
>>   v.1.0.0
>>
>>  Immune systems:
>>   None
>>
>>   Solution:
>>   All url's in [img] tags should start
>>   with "http://"
>>
>>                                    Yurij Rumiantsev
>
>Ikonboard version 3.0.1 is vulnerable for the same bug
>
> -- godminus
>
>
>
>
>






 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC