[原文]Cross-site scripting (XSS) vulnerability in index.php for Invision Power Board 1.3 final allows remote attackers to execute arbitrary script as other users via the (1) c, (2) f, (3) showtopic, (4) showuser, or (5) username parameters.
Invision Power Board index.php QUERY_STRING Parameter XSS
Remote / Network Access
Loss of Integrity
Insight PowerBoard contains a flaw within index.php that allows a remote cross site scripting attack. This flaw exists because the application does not validate URL (QUERY_STRING) variables upon returning them to the user. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Discovery of this issue is credited to Electrobug.
Invision Power Services Invision Board 2.0 PF2
Invision Power Services Invision Board 2.0 PF1
Invision Power Services Invision Board 2.0 PDR3
Invision Power Services Invision Board 2.0 Alpha 3
Invision Power Services Invision Board 2.0
A vulnerability has been reported to exist in Invision Power Board that may allow a remote user to launch cross-site scripting attacks.
This vulnerability makes it possible for an attacker to construct a malicious link containing HTML or script code that may be rendered in a user's browser upon visiting that link. This attack would occur in the security context of the site.
Successful exploitation of this attack may allow an attacker to steal cookie-based authentication credentials. Other attacks are also possible.
No exploit is required to leverage this issue.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.