Jump to content
Nytro

IP.Board 4.1.4.x - Persistent XSS Vulnerability

Recommended Posts

[h=1]IP.Board 4.1.4.x - Persistent XSS Vulnerability[/h]

# Exploit Title: IP.Board Persistent XSS Vulnerability
# Date: 29/10/2015
# Software Link: https://www.invisionpower.com/buy
# Software version : 4.1.4.x
# Exploit Author: Mehdi Alouache
# Contact: mehdi.alouache@etu.univ-lehavre.fr
# Category: webapps

1. Description

Any registered user can execute remote javascript code by sending a
private message to another user. The malicious JS code has to
be written in the title of the message, and the receiver must have
enabled the notifications when a new message is delivered.
Note that the code will be directly executed as soon as the notification
appear. (The receiver doesn't even need to check his
inbox).

2. Proof of Concept

Register on the forum (IP.Board) of a website as a regular user, and
send a message to any user having the message notifications
enabled. In the title field (and only here), a simple
<script>alert(1)</script> will show a dialog box to the victim.

3. Solution:

Patch the vulnerability with the (incoming) associated patch.

--
ALOUACHE Mehdi
Departement informatique
Groupe A

mehdi.alouache@hotmail.fr
mehdi.alouache@etu.univ-lehavre.fr

Sursa: https://www.exploit-db.com/exploits/38837/

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...