UseBB color BBCode cross-site scripting
| usebb-colorbbcode-xss (21651) |  Medium Risk |
Description:
UseBB is vulnerable to cross-site scripting caused by improper validation of color BBCode. A remote attacker could exploit this vulnerability to inject arbitrary stylesheet information. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Note: If propagated in Internet Explorer, Javascript execution can occur through the expression() function call.
Consequences:
Gain Access
Remedy:
Upgrade to the latest version of UseBB (0.5.1a or later), available from the UseBB Web site. See References.
References:
- BugTraq Mailing List, Thu Jul 28 2005 - 16:54:08 CDT : UseBB Multiple Vulnerabilities.
- Hardened-PHP Project - PHP Security: Advisory 12/2005: UseBB Multiple Vulnerabilities.
- UseBB Web site: UseBB- The Usable Forum Software.
- BID-14412: UseBB BBcode Color Tag Code Injection Vulnerability
- CVE-2005-2438: Cross-site scripting (XSS) vulnerability in UseBB 0.5.1 and earlier allows remote attackers to inject arbitrary Javascript via the BBCode color value.
Platforms Affected:
- UseBB UseBB 0.5.1
Reported:
Jul 28, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net