Boardhost.com - XSS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Boardhost.com - XSS
From: luny@xxxxxxxxxxxxxxx
Date: 15 Jun 2006 22:04:41 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Boardhost.com 

Description:

Free Msgboard hosting service.

Homepage:
http://www.Boardhost.com

Affected files
Input boxes of posting a message
Searching for a listing board

-------------------------------------------------

XSS vuln with cookie disclosure when posting a msg (Tested on boardhost.com's 
test msg board and a members board):

Boardhost doesn't properly filter user input before generating it. For PoC 
(Works on members with free account) try putting:

<IMG SRC="javascript:alert('XSS');">

Now, to bypass the filters for Members with paying accounts, its pretty easy. 
You'll notice they have paying accounts if their boards let you post links and 
images 

with your post. For a PoC there, in the Message:, or links input boxes just put 
http:// before your javascript.

http://<IMG SRC="javascript:alert('XSS');">

Screenshots:
http://www.youfucktard.com/xsp/boardhost1.jpg
http://www.youfucktard.com/xsp/boardhost2.jpg
http://www.youfucktard.com/xsp/boardhost3.jpg
http://www.youfucktard.com/xsp/boardhost4.jpg

Prev by Date: [USN-303-1] MySQL vulnerability
Next by Date: Develooping Flash Chat (banned_file) Remote File Inclusion
Previous by thread: [USN-303-1] MySQL vulnerability
Next by thread: Develooping Flash Chat (banned_file) Remote File Inclusion
Index(es):
- Date
- Thread