SecurityvulnsSECURITYVULNS:DOC:12089SKForum XSS vuln.
SKForum XSS vuln.
###############################################
Vuln. discovered by : r0t
Date: 5 april 2006
vendor:http://soft.killingar.net/documents/SKForum
affected versions:1.5 and prior
orginal advisory:http://pridels.blogspot.com/2006/04/skforum-xss-vuln.html
###############################################
Vuln. Description:
SKForum contains a flaw that allows a remote cross site scripting
attack. This flaw exists because input passed to "areaID" "time"
"userID" paremeters isn't properly sanitised before being returned to
the user.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server, leading to a loss of
integrity.
examples:
/area.View.action?areaID=[XSS]
/planning.View.action?time=[XSS]
/user.View.action?userID=[XSS]
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/