Bugtraq mailing list archives
Re: Phorum 3.4 Cross Site Scripting
From: Brian Moon <brian () phorum org>
Date: 3 Apr 2003 14:45:01 -0000
In-Reply-To: <20030402131944.18760.qmail () www securityfocus com> FYI, the versions prior to 3.4 did not have this problem. Brian. Phorum Dev Team
From: Peter "Stöckli" <pcs () pcsmedia net> To: bugtraq () securityfocus com Subject: Phorum 3.4 Cross Site Scripting Description: It is possible to insert javascript code in a message
and execute it.
1.) go to a phorum 2.) click on new topic 3.) enter any name 4.) enter any email 5.) enter a title in the way like this
"><script>alert
("Vulnerable");</script> 6.) enter any text 7.) click the preview button 8.) click the send button on the top of the page Solution: Edit the source code to strip malicious characters
from title or escape
malicious characters using addslashes().
Current thread:
- Phorum 3.4 Cross Site Scripting Stöckli (Apr 02)
- Re: Phorum 3.4 Cross Site Scripting Hagen Kühnel - HagK (Apr 03)
- <Possible follow-ups>
- Re: Phorum 3.4 Cross Site Scripting Brian Moon (Apr 03)