lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <34598.80.60.162.228.1111668494.squirrel@80.60.162.228>
Date: Thu Mar 24 13:04:43 2005
From: woody at woodys-software.com (Woody)
Subject: Invision Iframe Bug

Hi,

I've found a bug in Invision Board, it let's you send private messages
around, change people their signature, avatar, etc.

If the administrator doesn't filter all the html tags on a forum (or just
forgets, which is often the case) you can add an invisible iframe to your
post. Now if you just figure out how invision board sends for example a
private message, you can let people send one to someone.

Example:


<iframe id="frame1" name="frame1" frameborder=0 width=0 height=0
src="http://www.website.com/forums/index.php?act=Msg&CODE=04&MODE=1&entered_name=Woody&msg_title=hi&Post=I%20love%20you!">
</iframe>

Every person who would view the post would send Woody a private message
(message: I love you, subject: hi). They wouldn't know it happened because
the iframe is invisible.

You just have to figure out how IB works. This bug CAN NOT change
passwords, email addresses or let an administrator do stuff. It's pretty
harmless really. I guess all versions are "affected" because it just
depends on the administrator of the forum.

Woody
woodys-software.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ