Bugtraq mailing list archives

Re: Yabb XSS - or NOT

From: Volker Tanger <vtlists () wyae de>
Date: Sun, 13 Aug 2006 23:56:03 +0200

On 10 Aug 2006 04:13:34 -0000
Outlaw () aria-security net wrote:

####################### Software: YaBB                                                                       
#Attack method: Cross Site Scripting                                  
#                                                                                       
#Proof of Concept:                                                                      
#index.php?action=faqmy&myfaq=yes&id_cat=1&categories=<script>alert("
#xss")</script>


YaBB in both versions, 1.0 and 2.0/2.1 are PERL scripts, not PHP
(http://www.yabbforum.com/). Maybe you are talking about YabbSE (the
predecessor of SMF, if I remember correctly)? 

Please post the correct name and VERSION number (plus company
or developer website) of the buggy software you found.

Thanks a lot!


Back to the topic: the YaBB forum scripts written in PERL are (of
course) not vulnerable to the PHP attack shown.

Bye

Volker.


-- 

Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists () wyae de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB

Current thread:

Yabb XSS Outlaw (Aug 10)
- Re: Yabb XSS - or NOT Volker Tanger (Aug 14)