Bugtraq mailing list archives

Re: phpBB2 2.0.22 Cross Site Scripting Vulnerability

From: neothermic () phpbb com
Date: 3 Jan 2008 17:28:47 -0000

This exploit is a non-issue. It assumes that you have access to the admin panel. At some point we have to trust that 
you are a real admin and not a malicious user.

HTML is allowed in some parts of the ACP due to the fact that BBCode is not parsed in these areas.

I would encourage anyone finding a possible vulnerability in phpBB to report it properly at our security tracker ( 
http://www.phpbb.com/security/ ), or e-mail it to security at phpbb.com

NeoThermic
phpBB Support Team, Audit Team and Incident Investigation Team Leader

Current thread:

phpBB2 2.0.22 Cross Site Scripting Vulnerability bugtraq (Jan 02)
- <Possible follow-ups>
- Re: phpBB2 2.0.22 Cross Site Scripting Vulnerability neothermic (Jan 03)
- Re: Re: phpBB2 2.0.22 Cross Site Scripting Vulnerability admin (Jan 03)
- Re: phpBB2 2.0.22 Cross Site Scripting Vulnerability neothermic (Jan 03)
  - AW: phpBB2 2.0.22 Cross Site Scripting Vulnerability Aufmuth Andreas (Jan 04)