-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vulnerable systems: * Splatt Forum 3.0 Immune systems: * Splatt Forum 3.1 Splatt forum uses a user provided string (through the [IMG] tag) in the following HTML tag: <img src="$user_provided" border="0" /> While there is a check to force the string to begin with "http://"; it doesn't disallow the symbol: ". This means that a malicious user can escape the src="" in the HTML tag and insert his own HTML code. This same problem also exists in the remote avatar part of the user profile. Example: Enter the following anywhere in a message: [img]http://a.a/a"onerror="javascript:alert(document.cookie)[/img] After that, anyone reading the message should see a popup with his cookie. Severity: Malicious users can steal other users' and the administrator's cookies. This would allow the attacker to impersonate other users on the board and access to the administration panel. Solution: Upgrade to the latest version of Splatt (version 3.1). Download splatt from: www.splatt.it p.s. LIKE the recent PHPBB2 bug, (I just copy and paste from securiteam's phpbb advisory) /* * Andreas Constantinides (MegaHz) * www.cyhackportal.com * www.megahz.org * /* -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPP9dJkJeOgJQULK7EQKFAACfYC3RGv+o4nDYO+fUtqkljjD51MUAnAhE XCAhzIEN5B9zN14s54P19N49 =ERD/ -----END PGP SIGNATURE-----
