Bugtraq mailing list archives
Re: Yabb XSS - or NOT
From: Volker Tanger <vtlists () wyae de>
Date: Sun, 13 Aug 2006 23:56:03 +0200
On 10 Aug 2006 04:13:34 -0000 Outlaw () aria-security net wrote:
####################### Software: YaBB #Attack method: Cross Site Scripting # #Proof of Concept: #index.php?action=faqmy&myfaq=yes&id_cat=1&categories=<script>alert(" #xss")</script>
YaBB in both versions, 1.0 and 2.0/2.1 are PERL scripts, not PHP (http://www.yabbforum.com/). Maybe you are talking about YabbSE (the predecessor of SMF, if I remember correctly)? Please post the correct name and VERSION number (plus company or developer website) of the buggy software you found. Thanks a lot! Back to the topic: the YaBB forum scripts written in PERL are (of course) not vulnerable to the PHP attack shown. Bye Volker. -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists () wyae de PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
Current thread:
- Yabb XSS Outlaw (Aug 10)
- Re: Yabb XSS - or NOT Volker Tanger (Aug 14)