In-Reply-To: <6520144396.20031113223723 (at) hex.net (dot) ru [email concealed]>

HEX has submitted incorrect information on Web Wiz Forums (again!!!).

The values of the variables mentioned by HEX are filtered further on in the code.

The file register_new_user.asp is not a file that exsits in Web Wiz Forums version 7.01 or above.

The only variable that was not filtered correctly was the Location field which is populated by a drop down box.

Form March 2003 the location variable was changed to filter the location field.

This does not effect versions of Web Wiz Forums from 7.5 and above.

>

>Informations :

>°°°°°°°°°°°°

>Language : ASP

>Bugged Version : Web Wiz Forums ver. 7.01 (and less ?)

>Website : http://www.webwizforums.com

>Problems : Permanent XSS

>

>

>Objects :

>°°°°°°°

>- register_new_user.asp

>- register.asp

>

>The values variable are not filtered:

>

>strLocation = Request.Form("location")

>strMessage = Request.Form("signature")

>strPassword = Request.Form("password")

[ reply ]