[原文]Cross-site scripting (XSS) vulnerability in showflat.php in Infopop UBB.Threads before 6.5 allows remote attackers to inject arbitrary web script or HTML via the Cat parameter.
Some of these issues may have been fixed in version 6.5 of the affected package. Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .
source: http://www.securityfocus.com/bid/11900/info
It is reported that UBB.threads is affected by multiple cross-site scripting vulnerabilities. These issues are due to a failure of the application to properly sanitize user-supplied URI input prior to including it in dynamically generated web pages.
These issues could permit a remote attacker to create malicious URI links that include hostile HTML and script code. If these links were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks.
These vulnerabilities are reported to exist in versions 6.2.3, and 6.5 of UBB.threads. Other versions may also be affected.
http://www.example.com/showflat.php?Cat=document.write(unescape("%3CSCRIPT%3Ealert%28document.domain%29%3B%3C/SCRIPT%3E%3CSCRIPT%3Ealert%28document.cookie%29%3B%3C/SCRIPT%3E%0D%0A"));
UBB.threads contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'Cat' variables upon submission to the 'showflat.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
-
时间线
2004-12-13
2004-12-06
2004-12-13
Unknow
-
解决方案
Currently, there are no known workarounds or upgrades to correct this issue. However, Ythan has released an unofficial patch to address this vulnerability:
In the file ubbt.inc.php find the following:
// ########################################################################
// MAILER CLASS
// Define class for sending email
// ########################################################################
Directly above this, add:
@explode_data();
$Cat = get_input("Cat","get");
if (preg_match("/[^\d,]/", $Cat)){
$timea = getmicrotime();
$html = new html;
$html -> not_right("The script has received a malformed URL.");
}