[37749] in bugtraq
RE: CSS in phpBB 1.4.4
daemon@ATHENA.MIT.EDU (Paul Owen)
Wed Dec 15 18:16:11 2004
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Date: Wed, 15 Dec 2004 22:15:33 -0000
Message-ID: <6B48648DBA9C3F40B2F97B7CC14AAEB2E77B@dc1.ettanet.local>
From: "Paul Owen" <paul@ettanet.com>
To: <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
> phpBB 1.4.4 is vulnerable to Cross Site Scripting Attack.
>
> [Vulnerable]
>
> You can put vbscript in [img] bbcode tags.
> For example:
>
> [img]vbscript: alert(document.cookie)[/img]
phpBB 1.x hasn't been supported for over two years. All users of phpBB
1.x have been long advised to switch to phpBB 2.x or other system (as
they see fit).
psoTFX - phpbb.com
