Vulnerability Note VU#744590

Board Power contains cross-site scripting vulnerability in the 'action' parameter of 'icq.cgi'

Overview

Board Power fails to filter malicious content provided in the URL, leading to a cross-site scripting vulnerability. Attackers who exploit this vulnerability may be able to execute arbitrary scripts.

I. Description

Board Power is a forum application available for multiple operating systems. There are reports of a cross-site scripting vulnerability in Board Power v2.04 PF. According to the reports, the application fails to filter malicious content passed into the "action" parameter of icq.cgi. Other versions of Board Power may also be affected.

II. Impact

If a site is compromised, sensitive information may be exposed, allowing an attacker to gather information such as passwords and credit card numbers. Information stored in cookies may also be stolen or corrupted.

III. Solution

We are currently unaware of a practical solution to this problem. It appears that Board Power is no longer supported and has not been updated since 2000.

Systems Affected

Vendor	Status	Date Notified	Date Updated
The Webmaster Guide, Inc.	Vulnerable	29-Jul-2004

References

http://www.securityfocus.com/bid/10734
http://www.securitytracker.com/alerts/2004/Jul/1010708.html
http://archives.neohapsis.com/archives/fulldisclosure/2004-07/0642.html
http://xforce.iss.net/xforce/xfdb/16698

Credit

Thanks to Alexander Antipov for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public:	2004-07-15
Date First Published:	2004-08-05
Date Last Updated:	2004-08-18
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Severity Metric:	3.80
Document Revision:	9

If you have feedback, comments, or additional information about this vulnerability, please send us email.