Re: Phorum 3.4 Cross Site Scripting

From: Brian Moon (brianat_private)
Date: Thu Apr 03 2003 - 06:45:01 PST

Next message: Francesco Vigo: "NetBIOS could be used as network flood amplier"

Previous message: drG4njubas: "Sakki's guestbook V.1.01 script injection vulnerability."
Maybe in reply to: Peter : "Phorum 3.4 Cross Site Scripting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <20030402131944.18760.qmailat_private> FYI, the versions prior to 3.4 did not have this problem. Brian. Phorum Dev Team >From: Peter "Stöckli" <pcsat_private> >To: bugtraqat_private >Subject: Phorum 3.4 Cross Site Scripting > > > >Description: >It is possible to insert javascript code in a message and execute it. > >1.) go to a phorum >2.) click on new topic >3.) enter any name >4.) enter any email >5.) enter a title in the way like this "><script>alert >("Vulnerable");</script> >6.) enter any text >7.) click the preview button >8.) click the send button on the top of the page > >Solution: >Edit the source code to strip malicious characters from title or escape >malicious characters using addslashes(). >

Next message: Francesco Vigo: "NetBIOS could be used as network flood amplier"
Previous message: drG4njubas: "Sakki's guestbook V.1.01 script injection vulnerability."
Maybe in reply to: Peter : "Phorum 3.4 Cross Site Scripting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 15:51:47 PST