Vulnerability Note VU#255915

WebBoard does not adequately validate user input thereby permitting arbitrary JavaScript execution

Overview

WebBoard does not adequately validate user input, allowing attackers to execute arbitrary JavaScript code on other WebBoard users' systems.

I. Description

WebBoard is a web application which includes a real-time chat server, using JavaScript alerts to display messages received by other users. WebBoard does not adequately filter messages sent through the chat server, allowing attackers to execute arbitrary JavaScript code on other users' systems.

II. Impact

Attackers can execute arbitrary JavaScript code on other WebBoard client users' systems.

III. Solution

Upgrade

Upgrade to WebBoard version 4.2, available at:

ftp://ftp.chatspace.com/wb/support/software/webboard/webboard_4/windows_edition_msdesql/webboard42.zip

Systems Affected

Vendor	Status	Date Notified	Date Updated
Akiva	Vulnerable	22-Sep-2003

References

http://www.securityfocus.com/bid/2814

Credit

Thanks to Helmuth Antholzer for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

Date Public:	2001-06-02
Date First Published:	2002-09-27
Date Last Updated:	2003-09-22
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Severity Metric:	2.56
Document Revision:	3

If you have feedback, comments, or additional information about this vulnerability, please send us email.