Splatt Forum 3.0 - Image Tag HTML Injection

EDB-ID:

21514

Author:

MegaHz

Type:

webapps

Platform:

PHP

Published:

2002-06-06

source: https://www.securityfocus.com/bid/4953/info

Splatt Forum does not filter HTML from image tags. This may allow an attacker to inject arbitrary script code in forum messages. Injected script code will be executed in the browser of an arbitrary web user who views the malicious forum message, in the context of the website running Splatt Forum.

This may potentially be exploited to hijack web content or steal cookie-based authentication credentials from legitimate users. 

[img]http://a.a/a"onerror="javascript:alert(document.cookie)[/img]