Phorum 3.4 Cross Site Scripting

From: Peter (pcsat_private)
Date: Wed Apr 02 2003 - 05:19:44 PST

Next message: dong-h0un U: "[INetCop Security Advisory] Remote Multiple Buffer Overflow vulnerability in passlogd sniffer."

Previous message: Jan Kachlik: "re:3com RAS 1500 Remote vulnerabilities."
Next in thread: Brian Moon: "Re: Phorum 3.4 Cross Site Scripting"
Reply: Brian Moon: "Re: Phorum 3.4 Cross Site Scripting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Description: It is possible to insert javascript code in a message and execute it. 1.) go to a phorum 2.) click on new topic 3.) enter any name 4.) enter any email 5.) enter a title in the way like this "><script>alert ("Vulnerable");</script> 6.) enter any text 7.) click the preview button 8.) click the send button on the top of the page Solution: Edit the source code to strip malicious characters from title or escape malicious characters using addslashes().

Next message: dong-h0un U: "[INetCop Security Advisory] Remote Multiple Buffer Overflow vulnerability in passlogd sniffer."
Previous message: Jan Kachlik: "re:3com RAS 1500 Remote vulnerabilities."
Next in thread: Brian Moon: "Re: Phorum 3.4 Cross Site Scripting"
Reply: Brian Moon: "Re: Phorum 3.4 Cross Site Scripting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 02 2003 - 12:47:10 PST