COMMAND

	Splatt Forum cross site scripting vulnerability

SYSTEMS AFFECTED

	Splatt Forum 3.0

PROBLEM

	MegaHz [http://www.megahz.org] found following:
	

	

	Splatt forum uses a user provided string (through the [IMG] tag) in  the
	following HTML tag:
	

	<img src=\"$user_provided\" border=\"0\" />

	

	

	While there is a check to force the string to begin with \"http://\"  it
	doesn\'t disallow the symbol: \". This means that a malicious  user  can
	escape the src=\"\" in the HTML tag and insert his own HTML  code.  This
	same problem also exists in the remote avatar part of the user profile.
	

	

	 Example

	 =======

	

	Enter the following anywhere in a message:
	

	[img]http://a.a/a\"onerror=\"javascript:alert(document.cookie)[/img] 

	

	

	After that, anyone reading the message  should  see  a  popup  with  his
	cookie.
	

	

	 Severity

	 ========

	

	Malicious  users  can  steal  other  users\'  and  the  administrator\'s
	cookies. This would allow the attacker to  impersonate  other  users  on
	the board and access to the administration panel.

SOLUTION

	Upgrade to the latest version of Splatt (version 3.1).  Download  splatt
	from:
	

	http://www.splatt.it