SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Ikonboard Vendors:   Ikonboard.com
Ikonboard Bulletin Board IMG Tag Javascript Filtering Can Be Bypassed By Remote Users, Allowing Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1003868
SecurityTracker URL:  http://securitytracker.com/id/1003868
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 21 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 3.0.1, 3.0.2, 3.0.3
Description:   A vulnerability was reported in Ikonboard. A remote user can conduct cross-site scripting attacks against other Ikonboard users.

It is reported that Ikonboard filters IMG tags to make sure that they begin with the string 'http://'. However, the filtering reportedly only occurs when posting a new topic and not when editing an existing topic. This allows a remote user with valid access to the bulletin board to inject malicious code that will be executed when another Ikonboard user views the affected message.

The following demonstration exploit transcript is provided:

Make a new post, then "EDIT" the post and in the body of the post insert this code

[IMG]javascript:alert(document.cookie)[/IMG]

an alert box should pop up displaying your cookies!

The vendor has reportedly been notified.

Impact:   A remote user can inject malicious javascript into a message such that when another Ikonboard user views the message, the javascript will be executed. This code will originate from the host running Ikonboard and will run in the security context of that host. As a result, the code will be able to access the target (victim) Ikonboard user's cookies associated with that site. With access to the cookies, the remote user can then gain access to the target user's Ikonboard account.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ikonboard.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  CSS in ikonboard 3.0.1,3.0.2,3.0.3




author: Maxspeed
vendor statues: they have been informed

Vulnerable versions: ikonboard 3.0.1
                               ikonboard 3.0.2
                               ikonboard 3.0.3(the version they 
use on their site)

Severity: Malicious users can steal session cookies, 
allowing administrative access to the admin panel

Problem:
Ok the problem is in the way the [img] tags check for 
the "http://". The [img] tags checks for the "http://" 
when you posting a new topic but it doesnt check for 
it while your editing one. So it will allow you to insert 
malacious code while you editing a post.

Proof of concept:

Make a new post, then "EDIT" the post and in the 
body of the post insert this code

[IMG]javascript:alert(document.cookie)[/IMG]

an alert box should pop up displaying your cookies!

Fix: 

make [IMG] tags check for "http://" when editing a 
post.

Maxspeed017@yahoo.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC