Full Disclosure mailing list archives

RE: New phpBB ViewTopic.php Cross Site Scriptin g Vulnerability (with fix)

From: David Vincent <david.vincent () mightyoaks com>
Date: Mon, 1 Mar 2004 11:17:53 -0800

On 02/28/04 Cheng Peng Su released the following Advisory:

################################################
Advisory Name:New phpBB ViewTopic.php Cross Site Scripting 
Vulnerability
Release Date: Feb 29,2004
Application: phpBB
Platform: PHP
Version Affected: the lastest version
Vendor URL: http://www.phpbb.com/
Discover: Cheng Peng Su(apple_soup_at_msn.com)
################################################

Details:
~    This vuln is similar to Arab VieruZ's advisory 'XSS bug in
phpBB',this time the problem is not in 'highlight' ,but in
'postorder'.we can inject HTML code,such code could be used to steal
cookie information.



exactly what version is this?  they've released a new one as of March 01.

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=177594

new version is 2.0.6d.

-d

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: New phpBB ViewTopic.php Cross Site Scriptin g Vulnerability (with fix) David Vincent (Mar 01)
- Re: New phpBB ViewTopic.php Cross Site Scriptin g Vulnerability (with fix) t4c [Founder of GHCIF] (Mar 02)