[][][][][][][][][][][][][][][][][][][][][][][][][][] [][][] [] [] HRG - Hackerlounge Research Group [] Release: HRG002 [] Friday 11-02-05 [] Software PBLang 4.65 pmpshow.php XSS vulnerability [] [] The author can't be held responsible for any damage [] done by a reader. You have your own resonsibility [] Please use this document like it's meant to. [] [][][][][][][][][][][][][][][][][][][][][][][][][][] [][][] Vulnerable: PBLang 4.65 (current) (and earlier?) --- General information: PBLang is an international BBS-software based on PHP. It does not require any database but bases on a flatfile system. Many professional features. More info on the project website. --- Description: pmpshow.php shows the pm's a user has received, however, the body of the received PM is not checked for any harmfull characters like < > and ". An attacker could steal sessions or do other things with javascript. --- Proof Of Concept: Type "<script language="javascript">alert("Hackerlounge.com pwns joo");</script>" in the body of the PM your going to send a victim. An alertbox saying "Hcakerlounge.com pwns joo" should pop up. --- Fix and Vendor status: The vendor has been notified and a patch is "pending". --- [][][][][][][][][][][][][][][][][][][][][][][][][][] [][][] [] [] HRG - Hackerlounge Research Group [] Release: HRG002 [] Friday 11-02-05 [] Software PBLang 4.65 pmpshow.php XSS vulnerability [] [] The author can't be held responsible for any damage [] done by a reader. You have your own resonsibility [] Please use this document like it's meant to. [] [][][][][][][][][][][][][][][][][][][][][][][][][][] [][][]