[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <34598.80.60.162.228.1111668494.squirrel@80.60.162.228>
Date: Thu Mar 24 13:04:43 2005
From: woody at woodys-software.com (Woody)
Subject: Invision Iframe Bug
Hi,
I've found a bug in Invision Board, it let's you send private messages
around, change people their signature, avatar, etc.
If the administrator doesn't filter all the html tags on a forum (or just
forgets, which is often the case) you can add an invisible iframe to your
post. Now if you just figure out how invision board sends for example a
private message, you can let people send one to someone.
Example:
<iframe id="frame1" name="frame1" frameborder=0 width=0 height=0
src="http://www.website.com/forums/index.php?act=Msg&CODE=04&MODE=1&entered_name=Woody&msg_title=hi&Post=I%20love%20you!">
</iframe>
Every person who would view the post would send Woody a private message
(message: I love you, subject: hi). They wouldn't know it happened because
the iframe is invisible.
You just have to figure out how IB works. This bug CAN NOT change
passwords, email addresses or let an administrator do stuff. It's pretty
harmless really. I guess all versions are "affected" because it just
depends on the administrator of the forum.
Woody
woodys-software.com
Powered by blists - more mailing lists