Jump to content
Nytro

IP.Board 4.X - Stored XSS

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]IP.Board 4.X - Stored XSS[/h]

# Exploit Title: IP.Board 4.X Stored XSS
# Date: 27-08-2015
# Software Link: https://www.invisionpower.com/
# Exploit Author: snop.
# Contact: http://twitter.com/rabbitz_org
# Website: http://rabbitz.org
# Category: webapps

1. Description

A registered or non-registered user can create a calendar event
including malicious JavaScript code who will be permanently stored in
the pages source.

2. Proof of Concept

http://URL_TO_FORUM/calendar/submit/?calendar=1

POST:
Affected Paramter: event_location[address][]

3. Solution

Update to version 4.0.12.1
https://community.invisionpower.com/release-notes/40121-r22/

Disclosure Timeline
27.07.15: Vendor notified
05.08.15: Fix released
27.08.15: Public disclosure

Sursa: https://www.exploit-db.com/exploits/37989/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...