[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Artnana Webboard version 1.4 XSS (Cross-site Scripting) Web Security Vulnerabilities
From: Jing Wang <justqdjing () gmail ! com>
Date: 2015-05-08 17:05:28
Message-ID: CAFWG0-gOvUJ91gk2cH1LDaDEU=+Nw8vPc-ejaRfhDK-09j5DwA () mail ! gmail ! com
[Download RAW message or body]
*Artnana Webboard version 1.4 XSS (Cross-site Scripting) Web Security
Vulnerabilities*
Exploit Title: Artnana Webboard version 1.4 Multiple XSS Security
Vulnerabilities
Product: Webboard
Vendor: Artnana
Vulnerable Versions: version 1.4
Tested Version: version 1.4
Advisory Publication: May 09, 2015
Latest Update: May 09, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Jing Wang [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)
*Proposition Details:*
*(1) Vendor & Product Description:*
*Vendor:*
Artnana
*Product & Vulnerable Versions:*
Webboard
version 1.4
*Vendor URL & Download:*
Webboard can be obtained from here,
http://www.artnana.com/web-d.php
*Product Introduction Overview:*
"Webboard is Thailand IT company that provide software service. Webboard
can make your website easier and convenience. WebBoard is a discussion
board where you post messages and participate in discussions with the other
people in the course."
*(2) Vulnerability Details:*
Artnana Webboard web application has a computer security bug problem. It
can be exploited by stored XSS attacks. This may allow a remote attacker to
create a specially crafted request that would execute arbitrary script code
in a user's browser session within the trust relationship between their
browser and the server.
Several other Artnana products 0-day vulnerabilities have been found by
some other bug hunter researchers before. Artnana has patched some of them.
FusionVM Vulnerability Management and Compliance provides sources for the
latest info-sec news, tools, and advisories. It has published suggestions,
advisories, solutions details related to XSS vulnerabilities.
*(2.1) *The first programming code flaw occurs at "&keyword" parameter in
"search_topic.php?" page.
*(2.2) *The second programming code flaw occurs at "&keyword" parameter in
"search_products.php" page.
*References:*
http://www.tetraph.com/security/xss-vulnerability/artnana-webboard-version-1-4-xss/
http://securityrelated.blogspot.com/2015/05/artnana-webboard-version-14-xss-cross.html
https://vulnerabilitypost.wordpress.com/2015/05/08/artnana-webboard-version-1-4-xss/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/artnana-webboard-version-1-4-xss/
http://whitehatpost.blog.163.com/blog/static/24223205420154895051990/#
https://progressive-comp.com/?a=139222176300014&r=1&w=1
https://www.fusionvm.com/FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx?Alias=www.fusionvm&TabId=0&Lang=en-US&OU=0&ItemId=44831
https://www.bugscan.net/#!/x/21221
http://bluereader.org/article/30765597
--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic