http://www.ihostinghq.com/newspost/18791
"This update also comes with many bug fixes and security patches. Many thanks to Fabian Fäßler of http://www.smrrd.de for pointing out several vulnerabilities."
http://www.ihostinghq.com/newspost/18791
"This update also comes with many bug fixes and security patches. Many thanks to Fabian Fäßler of http://www.smrrd.de for pointing out several vulnerabilities."
this is one of the several vulnerabilities:
Class: Stored XSS
Severity: High
Affects: iClan Websites BBCode Parser
Resolved: resolved
iClan Websites is a simple to use website management system designed
for clans and gamers. With loads of themes and hundreds of features,
it's used by all types of teams.
The BBCode Parser doesn't parse input properly. A special crafted
string will result in a stored XSS.
[img][url=//onerror=eval(String.fromCharCode(97,108,101,114,116,40,34,88,83,83,34,41))//][/url][/img]
A stored XSS targets legitimate users and can be used to gather information,
phish credentials, steal cookies and more.
Disable BBCodes.
update: fixed by vendor. No action required.
fixed by vendor. No action required.
Blog Article about XSS with BBCodes: http://jeffchannell.com/Other/bbcode-xss-howto.html
Talk about hacking a browsergame with BBCode XSS (german): http://vimeo.com/channels/409924/35601597