Tuesday, September 9, 2003, 1:43:59 AM, you wrote:
kyf> Hello, i've just found a new xss vulnerability in phpBB 2.0.6 (i'm not
kyf> sure but i don't think that others versions are vulnerable).
kyf> This vulnerability is located in the [url][/url] bbcode.
kyf> You can insert javascript by doing a thing like that:
kyf> [url=www.google.fr" onclick=alert('Hello')]text[/url]
Think, my phpBB 2.0.5 is not vulnerable.
I posted "[url=www.google.fr" onclick=alert('Hello')]text[/url]" into
the body of the post. No URL link appeared, but I saw the whole
string "[url=www.google.fr" onclick=alert('Hello')]text[/url]" in my
post.
Was I wrong? Where do we need to place that string?
--
Best regards, Victor mailto:mrlomax (at) mail (dot) ru [email concealed]
Topic: Êîãäà ïðàâèòåëü ãîâîðèò îá çàáîòå î áëàãå íàðîäà, îí õî÷åò çàðó÷èòüñÿ åãî äîâåðèåì äëÿ î÷åðåäíîãî îáìàíà.
Tuesday, September 9, 2003, 1:43:59 AM, you wrote:
kyf> Hello, i've just found a new xss vulnerability in phpBB 2.0.6 (i'm not
kyf> sure but i don't think that others versions are vulnerable).
kyf> This vulnerability is located in the [url][/url] bbcode.
kyf> You can insert javascript by doing a thing like that:
kyf> [url=www.google.fr" onclick=alert('Hello')]text[/url]
Think, my phpBB 2.0.5 is not vulnerable.
I posted "[url=www.google.fr" onclick=alert('Hello')]text[/url]" into
the body of the post. No URL link appeared, but I saw the whole
string "[url=www.google.fr" onclick=alert('Hello')]text[/url]" in my
post.
Was I wrong? Where do we need to place that string?
--
Best regards, Victor mailto:mrlomax (at) mail (dot) ru [email concealed]
Topic: Êîãäà ïðàâèòåëü ãîâîðèò îá çàáîòå î áëàãå íàðîäà, îí õî÷åò çàðó÷èòüñÿ åãî äîâåðèåì äëÿ î÷åðåäíîãî îáìàíà.
[ reply ]