lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050402174700.26259.qmail@www.securityfocus.com>
Date: 2 Apr 2005 17:47:00 -0000
From: maty siman <maty@...ckmarx.com>
To: bugtraq@...urityfocus.com
Subject: Yet Another Forum.net XSS vulnerabilities




OVERVIEW
=========

"Yet Another Forum.net (http://www.yetanotherforum.net/)
is a opensource discussion forum or bulletin board system
for web sites running ASP.NET. It is ASP.NET based with a
MS SQL backend database.
The full C# source code is available licensed as GPL. "

Several Cross Site Scripting (XSS) vulnerabilities were found.

DETAILS
=======

Due to insufficient input filtering, any user can
insert malicious script code into "name" and "location" fields
and into the "Subject" field of PM.
The scripts may (for example) steal authentication cookies of users
reading messages written by the malicious user.


VULNERABLE VERSIONS
===================

Yet Another Forum.net Version 0.9.9 is vulnerable to this issue.
Prior version were not tested


SOLUTION
========

Yet Another Forum.net's administrator was informed on March 17, 2005.


CREDITS
=======

The vulnerability was researched by Maty Siman (maty@...ckmarx.com)

--
Maty Siman, CISSP
Web: http://www.checkmarx.com/



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ