################################################ Multiple Cross site scripting in BMForum vendor url:http://www.bmforum.com/ Advisore:http://lostmon.blogspot.com/2005/07/ multiple-cross-site-scripting-in.html Vendor notify:yes Exploit available:yes ################################################ BMForum contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate multiple variables upon submission to multiple scripts.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. #################### VERSIONS #################### BMForum Datium! 3.0 RC4 BMForum Datium! 3.0 RC3 BMForum Datium! 3.0 RC2 BMForum Datium! 3.0 RC1 BMForum Plus! 3.0 RC4 BMForum Plus! 3.0 RC3 BMForum Plus! 3.0 RC2 BMForum Plus! 3.0 RC1 BMForum Plus!MX 3.0.0.5 BMForum Plus! 2.6.1 ################### Solution: ################### No solution at this time. ################### Timeline: ################### Discovered: 21-0-2005 vendor notify:25-07-2005 Disclosure:27-07-2005 ################### Proof of XSS #################### #################### topic.php #################### http://[VICTIM]/bmb/topic.php?forumid=6&filename=38496&page=2[XSS-CODE] http://[VICTIM]/bmb/topic.php?forumid=6&filename=38496[XSS-CODE]&page=2 http://[VICTIM]/topic.php?filename=1923[XSS-CODE] ################# forums.php ################# http://[VICTIM]/bmb/forums.php?forumid=6[XSS-CODE] http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime[XSS-CODE]&jinhua=&page= http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime&jinhua=[XSS-CODE]&page= http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime&jinhua=&page=[XSS-CODE] ################### post.php ################### http://[VICTIM]/post.php?forumid=2\[XSS-CODE] ################### announcesys.php ################### http://[VICTIM]/announcesys.php?forumid=0[XSS-CODE] ################# Others ################# http://[VICTIM]/datafile/regipbans.php //ips baned. http://[VICTIM]/bmb/datafile/sendmail.php // full path disclosure. http://[VICTIM]/post_global.php //full path disclosure http://[VICTIM]/bmb/datafile/bbslog2.txt http://[VICTIM]/bmb/bbslog.txt ################### €nd ###################### thnx to estrella to be my ligth. atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ -- La curiosidad es lo que hace mover la mente....