BBCode XSS Vulnerabilty in Foxrum

Summary

Vulnerability: BBCode XSS Vulnerabilty in Foxrum
Discovered: 2006.01.09
Last Update: 0 n/a
ID: EV0020
CVE: CVE-2006-0156
Risk Level: low
Type: Cross Site Scripting
Status: Unpatched
Vendor: n/a
Vulnerable Software: Foxrum (http://www.foxrum.fr.st/)
Version: 4.0.4f
PoC/Exploit: Available
Solution: Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

Description

Cross Site Scripting found in Foxrum (http://www.foxrum.fr.st/) script.

Arbitrary script code insertion is possible in BBcode.

Vulnerable Script: addpost1.php addtopic1.php

BBcode isn't properly sanitized. This can be used to post arbitrary script code.

PoC/Exploit

BBcode Example:
[url=javascript:alert(XSS)]title[/url]

Solution.

No vendor-provided patch availabve.

Solution: disable BBcode