Full Disclosure mailing list archives
Re: New phpBB ViewTopic.php Cross Site Scriptin g Vulnerability (with fix)
From: "t4c [Founder of GHCIF]" <t4c () ghcif de>
Date: Tue, 02 Mar 2004 21:02:24 +0000
Its for 2.0.6c and above. You can fix it using their fix or the one http://www.ghcif.de/adv/phpbb206_viewtopic.txt There's an PHPBB Announcment how to fix the hole. greets Milan David Vincent wrote:
On 02/28/04 Cheng Peng Su released the following Advisory: ################################################Advisory Name:New phpBB ViewTopic.php Cross Site Scripting VulnerabilityRelease Date: Feb 29,2004 Application: phpBB Platform: PHP Version Affected: the lastest version Vendor URL: http://www.phpbb.com/ Discover: Cheng Peng Su(apple_soup_at_msn.com) ################################################ Details: ~ This vuln is similar to Arab VieruZ's advisory 'XSS bug in phpBB',this time the problem is not in 'highlight' ,but in 'postorder'.we can inject HTML code,such code could be used to steal cookie information.exactly what version is this? they've released a new one as of March 01. http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=177594 new version is 2.0.6d. -d _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- Milan 't4c' Berger Network & Security Administrator 21073 Hamburg gpg: http://www.ghcif.de/keys/t4c.asc _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: New phpBB ViewTopic.php Cross Site Scriptin g Vulnerability (with fix) David Vincent (Mar 01)
- Re: New phpBB ViewTopic.php Cross Site Scriptin g Vulnerability (with fix) t4c [Founder of GHCIF] (Mar 02)