TUCoPS :: Web BBS :: etc :: bt820.txt

aspBoard XSS Vulnerability




ZH2003-14SA (security advisory): aspBoard XSS Vulnerability





Published: 5 august 2003



Released: 5 august 2003



Name: aspBoard



Affected Systems: 1.2



Issue: Remote attackers can inject XSS script



Author: G00db0y@zone-h.org



Vendor: http://www.freezingcold.com



Description



***********



Zone-h Security Team has discovered a flaw in 

aspBoard 1.2 (and older versions?). aspBoard is a

"Message Board Component for ASP Internet Applications".







Details



*******

 

The posting procedure needs: Your Name, Your Email, Your

URL, a subject and your message. It's possible to inject

XSS script in the url variable.



For example try this:



Your Name: John Doe



Your Email: johndoe@johndoe.com



Your URL: <script>alert('Zone-h')</script>



Subject: Hi



Your Message: Zone-h Security Team





Solution:



*********



The vendor has been contacted and a patch is not yet produced





Suggestions:



************



Filter the script





G00db0y - www.zone-h.org admin



Original advisory here: http://www.zone-h.org/en/advisories/read/id=2834/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH