• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Phorum Multiple Cross-Site Scripting/HTML Injection Vulnerabilities

Phorum is prone to multiple cross-site scripting and HTML injection vulnerabilities. The cause of the vulnerabilities is that input supplied via URI parameters and form fields is not sanitized of HTML and script code before being included in web page output.

Remote attackers may create malicious links to a vulnerable script that includes hostile HTML and script code. If such a link were followed by a victim user, the attacker-supplied code would be rendered in the security context of the site hosting the software. Attackers may also persistently inject hostile HTML and script code into the forum software.

Theft of cookie-based authentication credentials is possible, in addition to other attacks.