If you have Allow dynamic pages in IMG tags? set to "no" under "Board Options" --> "Basic Security Settings" is this still a threat? Mike -----Original Message----- From: Max Speed [mailto:maxspeed017@hotmail.com] Sent: Wednesday, March 20, 2002 12:14 AM To: bugtraq@securityfocus.com Subject: CSS in ikonboard 3.0.1,3.0.2,3.0.3 author: Maxspeed vendor statues: they have been informed Vulnerable versions: ikonboard 3.0.1 ikonboard 3.0.2 ikonboard 3.0.3(the version they use on their site) Severity: Malicious users can steal session cookies, allowing administrative access to the admin panel Problem: Ok the problem is in the way the [img] tags check for the "http://";. The [img] tags checks for the "http://"; when you posting a new topic but it doesnt check for it while your editing one. So it will allow you to insert malacious code while you editing a post. Proof of concept: Make a new post, then "EDIT" the post and in the body of the post insert this code [IMG]javascript:alert(document.cookie)[/IMG] an alert box should pop up displaying your cookies! Fix: make [IMG] tags check for "http://"; when editing a post. Maxspeed017@yahoo.com
