[31504] in bugtraq
Re: XSS vulnerability in phpBB (an other ;-)
daemon@ATHENA.MIT.EDU (keupon_ps2@yahoo.fr)
Tue Sep 9 16:49:37 2003
Date: 9 Sep 2003 18:47:28 -0000
Message-ID: <20030909184728.4292.qmail@sf-www1-symnsj.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: <keupon_ps2@yahoo.fr>
To: bugtraq@securityfocus.com
In-Reply-To: <20030909171006.23428.qmail@sf-www1-symnsj.securityfocus.com>
Excuse me, i've made a little error in my example.
This will not work:
[url=www.google.fr" onclick="alert('Hello')]text[/url]
but this will work (on phbb 2.0.6):
[url=http://www.google.fr" onclick="alert('Hello')]text[/url]
I don't remeber who has said that it will work on every version of phpBB
but i've tested it on phpBB 2.0.4 and it doesn't work.
An other person has said that it only works with this code:
[url=http://www.google.fr" onclick="alert('Hello');"]text[/url]
I've tested it on 2.0.6 and it works but the code without the ;" works
also.
If you make over tests, please, indicate which version of phpBB you are
using.
