[XSS] paBox 2.0
pabox 2.0 no longer includes the Date and Time parameters in the POST data sent
with your shout. The date and time parameters in previous versions were
vulnerable to a cross site scripting attack. Now however in version 2.0 if you
setup paBox to include an icon with your topic... eg:
:winkface: posted By SomePerson on 3/10/05 04:11 PM
<message follows here>
the parameter in the form that lets you select which 'smilie' to use as an icon
for your post is prone to a script injection attack. the specific parameter
used is:
<INPUT type=radio CHECKED value="wink.gif" name=posticon>
where wink.gif becomse the value of the src attribute of the <img> tag when
your post is submitted. by simply altering wink.gif, or adding another
instance of this parameter, you can inject your own code into the value of the
new parameter. eg:
<INPUT type=radio CHECKED
value=""><script>document.write(document.cookie);</script>"
name=posticon>click me
simply check the radio button that reads 'click me' then submit your form as
normal, and the code will be injected into the shoutbox. Not everyone running
version 2.0 of pabox seems to have this feature enabled, however from a quick
search id say it's about 70% of the users that do have it enabled. the
official demonstration page for paBox 2.0 can be found at the phparena.net
website.