A Phorum's bug...

From: WiciU (vviciuat_private)
Date: Fri May 09 2003 - 10:37:09 PDT

Next message: Brian Moon: "Re: A Phorum's bug..."

Previous message: morning_wood: "PowerLink WAN Aggregator - Vunerability"
Next in thread: Brian Moon: "Re: A Phorum's bug..."
Reply: Brian Moon: "Re: A Phorum's bug..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Hi! I have founded a bug in Phorum (http://phorum.org/). It is possible to inject script code or other html-tag into "subject", "author's name" or "author's e-mail" of a message in Phorum. In the subject (name, e-mail) input of message you need to write any html-tag like this: <<b>script>alert(document.cookie);<<b>/script> I have tested it on Phorum 3.4.1 but probably works in other Phorum 3.x.x versions. Greetings! WiciU, Poland vviciuat_private

Next message: Brian Moon: "Re: A Phorum's bug..."
Previous message: morning_wood: "PowerLink WAN Aggregator - Vunerability"
Next in thread: Brian Moon: "Re: A Phorum's bug..."
Reply: Brian Moon: "Re: A Phorum's bug..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 09 2003 - 13:14:31 PDT