[29637] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Phorum 3.4 Cross Site Scripting

daemon@ATHENA.MIT.EDU (Brian Moon)
Thu Apr 3 18:52:02 2003

Date: 3 Apr 2003 14:45:01 -0000
Message-ID: <20030403144501.14543.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Brian Moon <brian@phorum.org>
To: bugtraq@securityfocus.com

In-Reply-To: <20030402131944.18760.qmail@www.securityfocus.com>

FYI, the versions prior to 3.4 did not have this problem.

Brian.
Phorum Dev Team

>From: Peter "Stöckli" <pcs@pcsmedia.net>
>To: bugtraq@securityfocus.com
>Subject: Phorum 3.4 Cross Site Scripting
>
>
>
>Description:
>It is possible to insert javascript code in a message
and execute it.
>
>1.) go to a phorum
>2.) click on new topic
>3.) enter any name
>4.) enter any email
>5.) enter a title in the way like this
">&lt;script&gt;alert
>("Vulnerable");&lt;/script&gt;
>6.) enter any text
>7.) click the preview button
>8.) click the send button on the top of the page
>
>Solution:
>Edit the source code to strip malicious characters
from title or escape 
>malicious characters using addslashes().
>


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[29637] in bugtraq

Re: Phorum 3.4 Cross Site Scripting

daemon@ATHENA.MIT.EDU (Brian Moon)Thu Apr 3 18:52:02 2003

daemon@ATHENA.MIT.EDU (Brian Moon)
Thu Apr 3 18:52:02 2003