Bugtraq mailing list archives

Re: Phorum 3.4 Cross Site Scripting

From: Brian Moon <brian () phorum org>
Date: 3 Apr 2003 14:45:01 -0000

In-Reply-To: <20030402131944.18760.qmail () www securityfocus com>

FYI, the versions prior to 3.4 did not have this problem.

Brian.
Phorum Dev Team

From: Peter "StÃ¶ckli" <pcs () pcsmedia net>
To: bugtraq () securityfocus com
Subject: Phorum 3.4 Cross Site Scripting



Description:
It is possible to insert javascript code in a message

and execute it.


1.) go to a phorum
2.) click on new topic
3.) enter any name
4.) enter any email
5.) enter a title in the way like this

">&lt;script&gt;alert

("Vulnerable");&lt;/script&gt;
6.) enter any text
7.) click the preview button
8.) click the send button on the top of the page

Solution:
Edit the source code to strip malicious characters

from title or escape

malicious characters using addslashes().

Current thread:

Phorum 3.4 Cross Site Scripting Stöckli (Apr 02)
- Re: Phorum 3.4 Cross Site Scripting Hagen KÃ¼hnel - HagK (Apr 03)
- <Possible follow-ups>
- Re: Phorum 3.4 Cross Site Scripting Brian Moon (Apr 03)