| VID |
21391 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Invision Power Board has the 'Referer' Header Cross-Site Scripting Vulnerability.
Invision Power Board is a PHP-based Web forum software package, distributed by Invision Power Services, Inc. Invision Power Board 2.0 is vulnerable to a Cross-Site Scripting Vulnerability, caused by a failure of the application to filtering of user-supplied input to the 'Referer' header in the index.php script. A remote attacker could create a specially crafted URL link with the script containing malicious script code, and then could persuade a target user to click it. Once the URL is clicked, the embedded codes would be executed in the victim's Web browser. A remote attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
* References:
http://www.osvdb.org/displayvuln.php?osvdb_id=10512
http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0100.html
* Platforms Affected:
Invision Power Board 2.0
Any Operating system Any version |
| Recommendation |
No upgrade or patch available as of June 2014.
Upgrade to the new version of Invision Power Board, when new version fixed this problem becomes available from the Invision Power Board Web site at http://www.invisionboard.com |
| Related URL |
CVE-2004-1578 (CVE) |
| Related URL |
11332 (SecurityFocus) |
| Related URL |
17604 (ISS) |
|
