View previous topic :: View next topic |
Author |
Message |
hikaru Administrator
Joined: 20 Nov 2000 Posts: 1581 Location: Kansas City, KS, USA
|
Posted: Mon Mar 08, 2004 8:45 pm Post subject: phpBB vulnerability. |
|
|
PHPBB ViewTopic.PHP "postorder" Cross-Site Scripting Vulnera...
BugTraq ID: 9765
Remote: Yes
Date Published: Feb 28 2004
Relevant URL: http://www.securityfocus.com/bid/9765
Summary:
It has been reported that one of the scripts included with phpBB is prone
to a cross-site scripting vulnerability. According to the author of the
report, the script "viewtopic.php" returns the value of the HTML variable
"postorder" to the client as its output without encoding it or otherwise
removing potentially hostile content. This can be exploited by
constructing malicious links with the malicious "postorder" variable value
embedded as a GET request style HTML variable. If the target user visits
such a link, the malicious, externally created content supplied in the
link will be rendered (or executed, in the case of script code) as part of
the viewtopic.php document and within the context of the vulnerable
website (including the phpBB forum). _________________ Read my comic: http://www.ImperialGelf.com
Read my stories at http://www.IC-Stories.com
http://katayamma.deviantart.com/
"Coming to you Live and Transcribed..." - TVDave |
|
Back to top |
|
|
Whip-lash Kneel before me... for I am Root!
Joined: 20 Nov 2000 Posts: 573
|
Posted: Sun Mar 21, 2004 6:56 pm Post subject: |
|
|
I'm going to try and spend some time tonight to apply patches for this and other issues. I've got work to do at the office later tonight (around 10-11pm EST), so hopefully I'll be able to get the ones for phpBB2 done before then. |
|
Back to top |
|
|
|