lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 3 Apr 2003 14:45:01 -0000
From: Brian Moon <brian@...rum.org>
To: bugtraq@...urityfocus.com
Subject: Re: Phorum 3.4 Cross Site Scripting


In-Reply-To: <20030402131944.18760.qmail@....securityfocus.com>

FYI, the versions prior to 3.4 did not have this problem.

Brian.
Phorum Dev Team

>From: Peter "Stöckli" <pcs@...media.net>
>To: bugtraq@...urityfocus.com
>Subject: Phorum 3.4 Cross Site Scripting
>
>
>
>Description:
>It is possible to insert javascript code in a message
and execute it.
>
>1.) go to a phorum
>2.) click on new topic
>3.) enter any name
>4.) enter any email
>5.) enter a title in the way like this
">&lt;script&gt;alert
>("Vulnerable");&lt;/script&gt;
>6.) enter any text
>7.) click the preview button
>8.) click the send button on the top of the page
>
>Solution:
>Edit the source code to strip malicious characters
from title or escape 
>malicious characters using addslashes().
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ