Info

Disclosure

Dec 24, 2004

Discovery

Nov 20, 2004

Dates

Exploit

Dec 24, 2004

Solution

Unknown

Description

Zeroboard contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user_id variables upon submission to the check_user_id.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

ZeroBoard Systems

ZeroBoard

4.1pl4

References

Security Tracker: 1012677
Bugtraq ID: 12103
Related OSVDB ID: 12580 12581
Secunia Advisory ID: 13649
ISS X-Force ID: 18680
CVE ID: 2004-2738 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-12/0410.html
http://lists.grok.org.uk/pipermail/full-disclosure/2004-December/030224.html
Vendor URL: http://zb.cmsn.net/

Credit

Jeremy Bae - swbaestgsecurity.com - STG Security, Inc.

Direct URL: http://osvdb.org/36218