TUCoPS :: Web BBS :: etc :: a6103.htm

XMB Forum XSS
6th Apr 2003 [SBWID-6103]
COMMAND

	XMB Forum XSS

SYSTEMS AFFECTED

	All version, tested on XMB 1.9 Developer's Edition

PROBLEM

	Thanks to dEcKa_tRaSh [decka_trash@yahoo.com] advisory :
	
	XMB Forum is most popular web forum  which  have  more  than  3  million
	boards on the net. But, I found a cross site scripting bug  on  it.  So,
	lets go faster :-
	
	The problem is in "member.php" which is not filting perfectly. Lets  say
	that we want to view Bob info/profile, so we clicking his  username  and
	it will go like this:-
	
	http://target/boards/member.php?action=viewpro&member=Bob
	
	Then we change the username with some active code, example :-
	
	http://target/boards/member.php?action=viewpro&member=<scr!pt>alert(document.cookie)</scr!pt>
	
	
	dEcKa_tRaSh | Greetz #king9x @ IRC Webnet

SOLUTION

	none yet ?

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH