[29595] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Phorum 3.4 Cross Site Scripting

daemon@ATHENA.MIT.EDU (Peter "Stöckli)
Wed Apr 2 16:13:15 2003

Date: 2 Apr 2003 13:19:44 -0000
Message-ID: <20030402131944.18760.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Peter "Stöckli" <pcs@pcsmedia.net>
To: bugtraq@securityfocus.com



Description:
It is possible to insert javascript code in a message and execute it.

1.) go to a phorum
2.) click on new topic
3.) enter any name
4.) enter any email
5.) enter a title in the way like this ">&lt;script&gt;alert
("Vulnerable");&lt;/script&gt;
6.) enter any text
7.) click the preview button
8.) click the send button on the top of the page

Solution:
Edit the source code to strip malicious characters from title or escape 
malicious characters using addslashes().


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[29595] in bugtraq

Phorum 3.4 Cross Site Scripting

daemon@ATHENA.MIT.EDU (Peter "Stöckli)Wed Apr 2 16:13:15 2003

daemon@ATHENA.MIT.EDU (Peter "Stöckli)
Wed Apr 2 16:13:15 2003