Project for the bored (lesson from a hacked forum)

I’m giving all the bored programmers out there a project here, I’ll just be giving some background first, please bear with me.

I’m a moderator on a fairly large forum, critical security. Like most other forums of that size there’s always someone trying to hack us. Well… one user did find a new flaw in IPB (which has been reported BTW) in the PMing system. Essentially this allowed him to run JavaScript when the recipient reads the PM. He sent me a PM with JavaScript which sends my session ID off to a remote page. He also had it alert the text “hacked”, which told me immediately what he’d done. I quickly changed me password and logged out. It was too late, he was in as me and there was nothing I could do. SecuriTeam Blogs » Project for the bored (lesson from a hacked forum)

Linked by shanmuga Sunday, 8th January 2006 2:45AM