Bugtraq mailing list archives

Re: XSS vulnerability in phpBB (an other ;-)

From: "Steven M. Christey" <coley () mitre org>
Date: Tue, 9 Sep 2003 19:14:01 -0400 (EDT)


keupon_ps2 () yahoo fr said:

but this will work (on phbb 2.0.6):
[url=http://www.google.fr"; onclick="alert('Hello')]text[/url]

I don't remeber who has said that it will work on every version of phpBB
but i've tested it on phpBB 2.0.4 and it doesn't work.
An other person has said that it only works with this code:
[url=http://www.google.fr"; onclick="alert('Hello');"]text[/url]
I've tested it on 2.0.6 and it works but the code without the ;" works
also.


These discrepancies might be due to differences in how web browsers
render "bad" HTML, rather than a quirk in phpBB.

Since the first example URL doesn't have a closing double-quote
character in the onclick value, some browsers may ignore it
altogether.

It seems likely that some types of XSS-style attacks would only work
in certain web browsers.

Which browsers (and versions) were used when testing this bug?

- Steve

Current thread:

XSS vulnerability in phpBB (an other ;-) keupon_ps2 (Sep 08)
- Re: XSS vulnerability in phpBB (an other ;-) Victor Sheldeshov (Sep 09)
- <Possible follow-ups>
- Re: XSS vulnerability in phpBB (an other ;-) John Smith (Sep 09)
  - Re: XSS vulnerability in phpBB (an other ;-) Michael Renzmann (Sep 09)
- Re: XSS vulnerability in phpBB (an other ;-) omere (Sep 09)
- Re: XSS vulnerability in phpBB (an other ;-) keupon_ps2 (Sep 09)
- Re: XSS vulnerability in phpBB (an other ;-) Everett Feldt (Sep 10)
- Re: XSS vulnerability in phpBB (an other ;-) Steven M. Christey (Sep 10)