Bugtraq mailing list archives
Phorum 3.4 Cross Site Scripting
From: Peter "Stöckli" <pcs () pcsmedia net>
Date: 2 Apr 2003 13:19:44 -0000
Description: It is possible to insert javascript code in a message and execute it. 1.) go to a phorum 2.) click on new topic 3.) enter any name 4.) enter any email 5.) enter a title in the way like this "><script>alert ("Vulnerable");</script> 6.) enter any text 7.) click the preview button 8.) click the send button on the top of the page Solution: Edit the source code to strip malicious characters from title or escape malicious characters using addslashes().
Current thread:
- Phorum 3.4 Cross Site Scripting Stöckli (Apr 02)
- Re: Phorum 3.4 Cross Site Scripting Hagen Kühnel - HagK (Apr 03)
- <Possible follow-ups>
- Re: Phorum 3.4 Cross Site Scripting Brian Moon (Apr 03)