lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 9 Sep 2003 10:09:57 +0400
From: Victor Sheldeshov <mrlomax@...l.ru>
To: keupon_ps2@...oo.fr, bugtraq@...urityfocus.com
Subject: Re: XSS vulnerability in phpBB (an other ;-)


Hello keupon,

Tuesday, September 9, 2003, 1:43:59 AM, you wrote:

kyf> Hello, i've just found a new xss vulnerability in phpBB 2.0.6 (i'm not
kyf> sure but i don't think that others versions are vulnerable).
kyf> This vulnerability is located in the [url][/url] bbcode.
kyf> You can insert javascript by doing a thing like that:
kyf> [url=www.google.fr" onclick=alert('Hello')]text[/url]

 Think, my phpBB 2.0.5 is not vulnerable.
 I posted "[url=www.google.fr" onclick=alert('Hello')]text[/url]" into
 the body of the post. No URL link appeared, but I saw the whole
 string "[url=www.google.fr" onclick=alert('Hello')]text[/url]" in my
 post.

 Was I wrong? Where do we need to place that string?
 
-- 
Best regards, Victor mailto:mrlomax@...l.ru
Topic: Когда правитель говорит об заботе о благе народа, он хочет заручиться его доверием для очередного обмана.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ