Skip to content

Instantly share code, notes, and snippets.

Last active December 15, 2015 05:29
What would you like to do?

this is one of the several vulnerabilities:

Stored XSS in iClan Websites BBCode Parser

Class:          Stored XSS
Severity:       High
Affects:        iClan Websites BBCode Parser
Resolved:       resolved

I. Background

iClan Websites is a simple to use website management system designed
for clans and gamers. With loads of themes and hundreds of features,
it's used by all types of teams.

II. Problem Description

The BBCode Parser doesn't parse input properly. A special crafted
string will result in a stored XSS.


III. Impact

A stored XSS targets legitimate users and can be used to gather information,
phish credentials, steal cookies and more.

IV. Workaround

Disable BBCodes.
update: fixed by vendor. No action required.

V. Solution

fixed by vendor. No action required.

VI. References

Blog Article about XSS with BBCodes:
Talk about hacking a browsergame with BBCode XSS (german):
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment