Bugtraq mailing list archives

RE: CSS in ikonboard 3.0.1,3.0.2,3.0.3

From: Michael Ginese <MGinese () uamail albany edu>
Date: Thu, 21 Mar 2002 11:35:52 -0500

If you have 

Allow dynamic pages in IMG tags? set to "no"

under "Board Options" --> "Basic Security Settings"

is this still a threat?

Mike

-----Original Message-----
From: Max Speed [mailto:maxspeed017 () hotmail com]
Sent: Wednesday, March 20, 2002 12:14 AM
To: bugtraq () securityfocus com
Subject: CSS in ikonboard 3.0.1,3.0.2,3.0.3




author: Maxspeed
vendor statues: they have been informed

Vulnerable versions: ikonboard 3.0.1
                               ikonboard 3.0.2
                               ikonboard 3.0.3(the version they 
use on their site)

Severity: Malicious users can steal session cookies, 
allowing administrative access to the admin panel

Problem:
Ok the problem is in the way the [img] tags check for 
the "http://";. The [img] tags checks for the "http://"; 
when you posting a new topic but it doesnt check for 
it while your editing one. So it will allow you to insert 
malacious code while you editing a post.

Proof of concept:

Make a new post, then "EDIT" the post and in the 
body of the post insert this code

[IMG]javascript:alert(document.cookie)[/IMG]

an alert box should pop up displaying your cookies!

Fix: 

make [IMG] tags check for "http://"; when editing a 
post.

Maxspeed017 () yahoo com

Current thread:

CSS in ikonboard 3.0.1,3.0.2,3.0.3 Max Speed (Mar 20)
- <Possible follow-ups>
- RE: CSS in ikonboard 3.0.1,3.0.2,3.0.3 Michael Ginese (Mar 21)