lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sun, 13 Aug 2006 23:56:03 +0200
From: Volker Tanger <vtlists@...e.de>
To: bugtraq@...urityfocus.com
Subject: Re: Yabb XSS - or NOT

On 10 Aug 2006 04:13:34 -0000
Outlaw@...a-security.net wrote:

> ####################### Software: YaBB								       
> #Attack method: Cross Site Scripting                                  
> #											  
> #Proof of Concept:								   	  
> #index.php?action=faqmy&myfaq=yes&id_cat=1&categories=<script>alert("
> #xss")</script>       

YaBB in both versions, 1.0 and 2.0/2.1 are PERL scripts, not PHP
(http://www.yabbforum.com/). Maybe you are talking about YabbSE (the
predecessor of SMF, if I remember correctly)? 

Please post the correct name and VERSION number (plus company
or developer website) of the buggy software you found.

Thanks a lot!


Back to the topic: the YaBB forum scripts written in PERL are (of
course) not vulnerable to the PHP attack shown.

Bye

Volker.


-- 

Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@...e.de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ