Full Disclosure mailing list archives

Re: New phpBB ViewTopic.php Cross Site Scriptin g Vulnerability (with fix)

From: "t4c [Founder of GHCIF]" <t4c () ghcif de>
Date: Tue, 02 Mar 2004 21:02:24 +0000

Its for 2.0.6c and above.
You can fix it using their fix or the one

http://www.ghcif.de/adv/phpbb206_viewtopic.txt

There's an PHPBB Announcment how to fix the hole.

greets
Milan

David Vincent wrote:

On 02/28/04 Cheng Peng Su released the following Advisory:

################################################

Advisory Name:New phpBB ViewTopic.php Cross Site ScriptingVulnerability

Release Date: Feb 29,2004
Application: phpBB
Platform: PHP
Version Affected: the lastest version
Vendor URL: http://www.phpbb.com/
Discover: Cheng Peng Su(apple_soup_at_msn.com)
################################################

Details:
~    This vuln is similar to Arab VieruZ's advisory 'XSS bug in
phpBB',this time the problem is not in 'highlight' ,but in
'postorder'.we can inject HTML code,such code could be used to steal
cookie information.




exactly what version is this?  they've released a new one as of March 01.

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=177594

new version is 2.0.6d.

-d

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


--
Milan 't4c' Berger
Network & Security Administrator
21073 Hamburg

gpg: http://www.ghcif.de/keys/t4c.asc

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: New phpBB ViewTopic.php Cross Site Scriptin g Vulnerability (with fix) David Vincent (Mar 01)
- Re: New phpBB ViewTopic.php Cross Site Scriptin g Vulnerability (with fix) t4c [Founder of GHCIF] (Mar 02)