https://www.exploit-db.com/exploits/21301
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200206-073

OpenBB是一个基于Web的论坛程序，用PHP实现，可运行于Unix类操作系统下，也可运行于Windows平台。OpenBB对用户输入过滤上存在漏洞，可能使远程攻击者利用在论坛上的发贴对其他用户进行跨站脚本执行攻击。OpenBB支持用户在贴子中使用[img]标记插入图像，但它未对标记中的内容做充分的过滤，这可能导致攻击者在此标记的内容中放入脚本代码，当用户浏览相关页面时，脚本将在用户的浏览器中执行。攻击者可能借此得到用户基于Cookie的认证信息。

source: http://www.securityfocus.com/bid/4171/info

OpenBB is web forum software written in PHP. It will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems.

OpenBB allows users to include images in forum messages using image tags, with the following syntax:

[img]url of image[/img]

It is possible to inject arbitrary script code into forum messages via these image tags. Script code will be executed in the browser of the user viewing the forum message, in the context of the website running the vulnerable software. This may allow an attacker to steal cookie-based authentication credentials.

[img]javasCript:alert('Hello world.')[/img]

来源:XF
名称:openbb-img-css(8278)
链接:http://www.iss.net/security_center/static/8278.php
来源:BUGTRAQ
名称:20020225OpenBulletinBoardjavascriptbug.
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=101466092601554&w;=2
来源:community.iansoft.net
链接:http://community.iansoft.net/read.php?TID=5159
来源:BID
名称:4171
链接:http://www.securityfocus.com/bid/4171
来源:OSVDB
名称:5658
链接:http://www.osvdb.org/5658