[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
[]
[] HRG - Hackerlounge Research Group
[] Release: HRG003
[] Friday 11-02-05
[] Software PBLang 4.65 pm.php XSS vulnerability
[]
[] The author can't be held responsible for any
damage
[] done by a reader. You have your own resonsibility
[] Please use this document like it's meant to.
[]
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
Vulnerable: PBLang 4.65 (current) (and earlier?)
---
General information:
PBLang is an international BBS-software based on
PHP. It does not require any database but bases on a
flatfile system. Many professional features. More
info on the project website.
---
Description:
When a user receives a PM with a HTML in the
subject, it will be executed as soon as the user
opens his pm.php. This may give an attacker the
opportunity for a session steal. The link for the PM
will not be linked, so viewing the contents of the
message gets harder. An attacker could also flood a
users PM box by sending messages with a title like
<script>
and the PM will not appear in the receivers window,
while it will say he/she has got a new PM.
---
Proof Of Concept:
Type in the subject box "<script
language="javascript">alert("Hackerlounge.com pwns
joo");</script>" and submit. An alertbox with the
text "Hackerlounge.com pwns joo" should come up when
a user visits pm.php.
---
Fix and Vendor status:
Vendor has been notified, expect an official patch
soon.
---
Credit:
HRG - Hackerlounge Research Group
Hackerlounge.com
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
[]
[] HRG - Hackerlounge Research Group
[] Release: HRG003
[] Friday 11-02-05
[] Software PBLang 4.65 pm.php XSS vulnerability
[]
[] The author can't be held responsible for any
damage
[] done by a reader. You have your own resonsibility
[] Please use this document like it's meant to.
[]
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
