BugTraq
Back to list
|
Post reply
Phorum 3.4 Cross Site Scripting
Apr 02 2003 01:19PM
Peter Stöckli (pcs pcsmedia net)
(1 replies)
Description:
It is possible to insert javascript code in a message and execute it.
1.) go to a phorum
2.) click on new topic
3.) enter any name
4.) enter any email
5.) enter a title in the way like this "><script>alert
("Vulnerable");</script>
6.) enter any text
7.) click the preview button
8.) click the send button on the top of the page
Solution:
Edit the source code to strip malicious characters from title or escape
malicious characters using addslashes().
[ reply ]
Re: Phorum 3.4 Cross Site Scripting
Apr 03 2003 06:26AM
Hagen Kühnel - HagK (hagk hagk de)
Privacy Statement
Copyright 2010, SecurityFocus
Description:
It is possible to insert javascript code in a message and execute it.
1.) go to a phorum
2.) click on new topic
3.) enter any name
4.) enter any email
5.) enter a title in the way like this "><script>alert
("Vulnerable");</script>
6.) enter any text
7.) click the preview button
8.) click the send button on the top of the page
Solution:
Edit the source code to strip malicious characters from title or escape
malicious characters using addslashes().
[ reply ]