Multiple Vulnerabilities in Led-Forums Oct 30 2003 04:04PM
ProXy - (proxy excluded org)

Product: Led-Forums

Versions: Beta 1

Vulnerability: XSS- and redirection-Bug

Date: October 30, 2003

Discovered by: ProXy <proxy (at) excluded (dot) org [email concealed]>

1. - XSS-Bug

The Welcome-Message of the Led-Forums software could be changed by everybody.

Normal Text, HTML and Javascript it's all allowed! :)





2. - Redirection-Bug

HTML-tags are allowed in topic-names as well as Javascript.

So if anybody insert the following JS-code in the topic-field of a new thread

the complete forum-category would be redirected to the adress the attacker indicates.


- ProXy

- http://www.excluded.org

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus