[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050314042606.8197.qmail@www.securityfocus.com>
Date: 14 Mar 2005 04:26:06 -0000
From: Rift <Sean@...e-web.com>
To: bugtraq@...urityfocus.com
Subject: [XSS] paBox 2.0
pabox 2.0 no longer includes the Date and Time parameters in the POST data sent with your shout. The date and time parameters in previous versions were vulnerable to a cross site scripting attack. Now however in version 2.0 if you setup paBox to include an icon with your topic... eg:
:winkface: posted By SomePerson on 3/10/05 04:11 PM
<message follows here>
the parameter in the form that lets you select which 'smilie' to use as an icon for your post is prone to a script injection attack. the specific parameter used is:
<INPUT type=radio CHECKED value="wink.gif" name=posticon>
where wink.gif becomse the value of the src attribute of the <img> tag when your post is submitted. by simply altering wink.gif, or adding another instance of this parameter, you can inject your own code into the value of the new parameter. eg:
<INPUT type=radio CHECKED value=""><script>document.write(document.cookie);</script>" name=posticon>click me
simply check the radio button that reads 'click me' then submit your form as normal, and the code will be injected into the shoutbox. Not everyone running version 2.0 of pabox seems to have this feature enabled, however from a quick search id say it's about 70% of the users that do have it enabled. the official demonstration page for paBox 2.0 can be found at the phparena.net website.
Powered by blists - more mailing lists