Non-persistent XSS in WWWThreads (perl version)

Summary

Vulnerability
Non-persistent XSS in WWWThreads (perl version)
Discovered
2010.11.28
Last Update
n/a n/a
ID
EV0157
CVE
n/a
Risk Level
low
Type
Cross Site Scripting
Status
Unpatched. Vendor notified. No reply from developer(s).
Vendor
WWWThreads (http://www.wwwthreads.com/)
Vulnerable Software
WWWThreads (perl version)
Version
v5.0.8 Pro (perl version)
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Cross Site Scripting found in WWWThreads (perl version) script.

Non-persistent XSS
It is possible to inject xss code into view parameter in showflat.pl script.

Parameter view is not sanitized before being used in HTML code.

PoC/Exploit

Non-persistent XSS Example.

XSS example: http://website/cgi-bin/forum/showflat.pl?Cat=&Board=forum&Number=111&page=0&view="<XSS>expanded&sb=1&part=all&vc=1

Solution.

Solution for "Non-persistent XSS in WWWThreads (perl version)" is not available. Check WWWThreads website for updates.