Gnuboard 'download.php' HTML Injection Vulnerability
BID:52622
Info
Gnuboard 'download.php' HTML Injection Vulnerability
| Bugtraq ID: | 52622 |
| Class: | Input Validation Error |
| CVE: |
CVE-2012-4873 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 20 2012 12:00AM |
| Updated: | Mar 19 2015 07:35AM |
| Credit: | wh1ant |
| Vulnerable: |
SIR GNUBoard 4.34.20 |
| Not Vulnerable: |
SIR GNUBoard 4.34.21 |
Discussion
Gnuboard 'download.php' HTML Injection Vulnerability
Gnuboard is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user.
Gnuboard versions prior to 4.34.21 are vulnerable.
Gnuboard is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user.
Gnuboard versions prior to 4.34.21 are vulnerable.
Exploit / POC
Gnuboard 'download.php' HTML Injection Vulnerability
An attacker can exploit this issue through a browser.
The following exploit example is available:
An attacker can exploit this issue through a browser.
The following exploit example is available:
Solution / Fix
Gnuboard 'download.php' HTML Injection Vulnerability
Solution:
Vendor patch is available. Please see the references for more information.
Solution:
Vendor patch is available. Please see the references for more information.