|
COMMAND XMB Forum XSS SYSTEMS AFFECTED All version, tested on XMB 1.9 Developer's Edition PROBLEM Thanks to dEcKa_tRaSh [decka_trash@yahoo.com] advisory : XMB Forum is most popular web forum which have more than 3 million boards on the net. But, I found a cross site scripting bug on it. So, lets go faster :- The problem is in "member.php" which is not filting perfectly. Lets say that we want to view Bob info/profile, so we clicking his username and it will go like this:- http://target/boards/member.php?action=viewpro&member=Bob Then we change the username with some active code, example :- http://target/boards/member.php?action=viewpro&member=<scr!pt>alert(document.cookie)</scr!pt> dEcKa_tRaSh | Greetz #king9x @ IRC Webnet SOLUTION none yet ?