|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
ZH2003-21SA (security advisory): DcForum+ XSS Vulnerability
From: G00db0y (G00db0y
zone-h.org)
Date: Sun Aug 10 2003 - 12:12:22 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
ZH2003-21SA (security advisory): DcForum+ XSS Vulnerability
Published: 10 august 2003
Released: 10 august 2003
Name: DcForum+
Affected Systems: 1.2
Issue: Remote attackers can inject XSS script
Author: G00db0yzone-h.org
Vendor: http://www.dcscripts.com/dcforump.shtml
Description
***********
Zone-h Security Team has discovered a flaw in
DcForum+ 1.2 (and older versions?). DcForum+ is a very user friendly
bulletin board program that utilitzes mySQL server on the backend and
PHP on the front end.
Details
*******
It's possibile to inject XSS script in the subject variable.
For example try this:
Your Name: Zone-h Security Team
Your Email: testtest.com
Your Subject: <script>alert(Zone-h)</script>
Your Message: Zone-h.org
Solution:
*********
The vendor has been contacted and a patch was produced.
Suggestions:
************
Filter the subject variable.
G00db0y - www.zone-h.org admin
Original advisory here: http://www.zone-h.org/en/advisories/read/id=2865/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]