BugTraq
Back to list
|
Post reply
Re: Phorum 3.4 Cross Site Scripting
Apr 03 2003 02:45PM
Brian Moon (brian phorum org)
In-Reply-To: <20030402131944.18760.qmail (at) www.securityfocus (dot) com [email concealed]>
FYI, the versions prior to 3.4 did not have this problem.
Brian.
Phorum Dev Team
>From: Peter "Stöckli" <pcs (at) pcsmedia (dot) net [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Phorum 3.4 Cross Site Scripting
>
>
>
>Description:
>It is possible to insert javascript code in a message
and execute it.
>
>1.) go to a phorum
>2.) click on new topic
>3.) enter any name
>4.) enter any email
>5.) enter a title in the way like this
"><script>alert
>("Vulnerable");</script>
>6.) enter any text
>7.) click the preview button
>8.) click the send button on the top of the page
>
>Solution:
>Edit the source code to strip malicious characters
from title or escape
>malicious characters using addslashes().
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
FYI, the versions prior to 3.4 did not have this problem.
Brian.
Phorum Dev Team
>From: Peter "Stöckli" <pcs (at) pcsmedia (dot) net [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Phorum 3.4 Cross Site Scripting
>
>
>
>Description:
>It is possible to insert javascript code in a message
and execute it.
>
>1.) go to a phorum
>2.) click on new topic
>3.) enter any name
>4.) enter any email
>5.) enter a title in the way like this
"><script>alert
>("Vulnerable");</script>
>6.) enter any text
>7.) click the preview button
>8.) click the send button on the top of the page
>
>Solution:
>Edit the source code to strip malicious characters
from title or escape
>malicious characters using addslashes().
>
[ reply ]