Vulnerability Note VU#744590

Board Power contains cross-site scripting vulnerability in the 'action' parameter of 'icq.cgi'

Original Release date: 05 Aug 2004 | Last revised: 18 Aug 2004

Overview

Board Power fails to filter malicious content provided in the URL, leading to a cross-site scripting vulnerability. Attackers who exploit this vulnerability may be able to execute arbitrary scripts.

Description

Board Power is a forum application available for multiple operating systems. There are reports of a cross-site scripting vulnerability in Board Power v2.04 PF. According to the reports, the application fails to filter malicious content passed into the "action" parameter of icq.cgi. Other versions of Board Power may also be affected.

Impact

If a site is compromised, sensitive information may be exposed, allowing an attacker to gather information such as passwords and credit card numbers. Information stored in cookies may also be stolen or corrupted.

Solution

We are currently unaware of a practical solution to this problem. It appears that Board Power is no longer supported and has not been updated since 2000.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
The Webmaster Guide, Inc.Affected26 Jul 200429 Jul 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Alexander Antipov for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

  • CVE IDs: Unknown
  • Date Public: 15 Jul 2004
  • Date First Published: 05 Aug 2004
  • Date Last Updated: 18 Aug 2004
  • Severity Metric: 3.80
  • Document Revision: 9

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.