BugTraq
Back to list
|
Post reply
A Phorum's bug...
May 09 2003 05:37PM
WiciU (vviciu poczta onet pl)
Hi!
I have founded a bug in Phorum (http://phorum.org/).
It is possible to inject script code or other html-tag into "subject",
"author's name" or "author's e-mail" of a message in Phorum.
In the subject (name, e-mail) input of message you need to write any
html-tag like this:
<<b>script>alert(document.cookie);<<b>/script>
I have tested it on Phorum 3.4.1 but probably works in other Phorum 3.x.x
versions.
Greetings!
WiciU, Poland
vviciu (at) poczta.onet (dot) pl [email concealed]
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Hi!
I have founded a bug in Phorum (http://phorum.org/).
It is possible to inject script code or other html-tag into "subject",
"author's name" or "author's e-mail" of a message in Phorum.
In the subject (name, e-mail) input of message you need to write any
html-tag like this:
<<b>script>alert(document.cookie);<<b>/script>
I have tested it on Phorum 3.4.1 but probably works in other Phorum 3.x.x
versions.
Greetings!
WiciU, Poland
vviciu (at) poczta.onet (dot) pl [email concealed]
[ reply ]