[XSS] paBox 2.0

[Rift <Sean@xxxxxxxxxxxx>]

pabox 2.0 no longer includes the Date and Time parameters in the POST data sent 
with your shout.  The date and time parameters in previous versions were 
vulnerable to a cross site scripting attack.  Now however in version 2.0 if you 
setup paBox to include an icon with your topic... eg:

:winkface: posted By SomePerson on 3/10/05 04:11 PM
<message follows here>


the parameter in the form that lets you select which 'smilie' to use as an icon 
for your post is prone to a script injection attack.  the specific parameter 
used is:

<INPUT type=radio CHECKED value="wink.gif" name=posticon>

where wink.gif becomse the value of the src attribute of the <img> tag when 
your post is submitted.  by simply altering wink.gif, or adding another 
instance of this parameter, you can inject your own code into the value of the 
new parameter.  eg:

<INPUT type=radio CHECKED 
value="&quot;>&lt;script&gt;document.write(document.cookie);&lt;/script&gt;" 
name=posticon>click me

simply check the radio button that reads 'click me' then submit your form as 
normal, and the code will be injected into the shoutbox.  Not everyone running 
version 2.0 of pabox seems to have this feature enabled, however from a quick 
search id say it's about 70% of the users that do have it enabled.  the 
official demonstration page for paBox 2.0 can be found at the phparena.net 
website.