Suggest A Fix PC Support Forums > Ikonboard Bulletin Board Allows Cross Site Scrip

Full Version: Ikonboard Bulletin Board Allows Cross Site Scrip

Suggest A Fix PC Support Forums > Security > Security News and Warnings

73-997563179

Oct 31 2001, 08:32 PM

2.1.9 Beta

A cross site scripting vulnerability has been reported in Ikonboard. Remote users can insert Javascript into bulletin board messages that will be executed when another user views the message.

It is reported that a remote user can place JavaScript between HTML IMG tags to bypass the HTML filtering. When another user views the message, the JavaScript will be executed.

An example of a tag that will bypass the filtering is provided:

<IMG>javascript:alert('This is the test')</img>
A remote user can insert Javascript into bulletin board messages that will be executed by another user's browser when the other user views the message. The code will appear to originate from the bulletin board and may be able to access cookies and other information. This has been fixed in Ikonboard version 3.0.

Reported by Thatsmej <thatsmej@whizkunde.org>.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.