| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <34598.80.60.162.228.1111668494.squirrel@80.60.162.228> Date: Thu Mar 24 13:04:43 2005 From: woody at woodys-software.com (Woody) Subject: Invision Iframe Bug Hi, I've found a bug in Invision Board, it let's you send private messages around, change people their signature, avatar, etc. If the administrator doesn't filter all the html tags on a forum (or just forgets, which is often the case) you can add an invisible iframe to your post. Now if you just figure out how invision board sends for example a private message, you can let people send one to someone. Example: <iframe id="frame1" name="frame1" frameborder=0 width=0 height=0 src="http://www.website.com/forums/index.php?act=Msg&CODE=04&MODE=1&entered_name=Woody&msg_title=hi&Post=I%20love%20you!"> </iframe> Every person who would view the post would send Woody a private message (message: I love you, subject: hi). They wouldn't know it happened because the iframe is invisible. You just have to figure out how IB works. This bug CAN NOT change passwords, email addresses or let an administrator do stuff. It's pretty harmless really. I guess all versions are "affected" because it just depends on the administrator of the forum. Woody woodys-software.com
Powered by blists - more mailing lists