Security Advisory: Woltlab Burning Board Lite formmail.php XSS

[Martin Heistermann <martin.heistermann@xxxxxx>]

Advisory Information
--------------------
Advisory name           :  Woltlab Burning Board Lite formmail.php XSS
Discovered by           :  drhankey / it-security23.net
Vendor Name             :  Woltlab
Vendor Homepage         :  http://www.woltlab.de
Software                :  Woltlab Burning Board Lite
Vulnerability Type      :  Cross-Site-Scripting
Vulnerable Versions     :  1.0.0, 1.0.1e, maybe more
Platforms               :  OS Independent, PHP


What is Woltlab Burning Board Lite?
----------------------------------
Woltlab Burning Board Lite is the free version of the Woltlab Burning Board,
a PHP based bulletin board


Vulnerability Description:
-------------------------
formmail.php outputs the "userid"-parameter unfiltered, so its possible to add 
arbitary Code to the output by using a malformed link.
The Board also allows logging in with stolen cookies.

Proof of Concept:
-----------------
http://website/board/formmail.php?userid=1";>&lt;script&gt;document.location.href="http://www.it-security23.net";;</script
 x="y