[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4044F660.3040206@ghcif.de>
From: t4c at ghcif.de (t4c [Founder of GHCIF])
Subject: New phpBB ViewTopic.php Cross Site Scriptin
g Vulnerability (with fix)
Its for 2.0.6c and above.
You can fix it using their fix or the one
http://www.ghcif.de/adv/phpbb206_viewtopic.txt
There's an PHPBB Announcment how to fix the hole.
greets
Milan
David Vincent wrote:
>>On 02/28/04 Cheng Peng Su released the following Advisory:
>>
>>################################################
>>Advisory Name:New phpBB ViewTopic.php Cross Site Scripting
>>Vulnerability
>>Release Date: Feb 29,2004
>>Application: phpBB
>>Platform: PHP
>>Version Affected: the lastest version
>>Vendor URL: http://www.phpbb.com/
>>Discover: Cheng Peng Su(apple_soup_at_msn.com)
>>################################################
>>
>>Details:
>>~ This vuln is similar to Arab VieruZ's advisory 'XSS bug in
>>phpBB',this time the problem is not in 'highlight' ,but in
>>'postorder'.we can inject HTML code,such code could be used to steal
>>cookie information.
>
>
>
> exactly what version is this? they've released a new one as of March 01.
>
> http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=177594
>
> new version is 2.0.6d.
>
> -d
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
--
Milan 't4c' Berger
Network & Security Administrator
21073 Hamburg
gpg: http://www.ghcif.de/keys/t4c.asc
Powered by blists - more mailing lists