|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-Disclosure] New phpBB ViewTopic.php Cross Site Scriptin g Vulnerability (with fix)
From: t4c [Founder of GHCIF] (t4c
ghcif.de)
Date: Tue Mar 02 2004 - 15:02:24 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Its for 2.0.6c and above.
You can fix it using their fix or the one
http://www.ghcif.de/adv/phpbb206_viewtopic.txt
There's an PHPBB Announcment how to fix the hole.
greets
Milan
David Vincent wrote:
>>On 02/28/04 Cheng Peng Su released the following Advisory:
>>
>>################################################
>>Advisory Name:New phpBB ViewTopic.php Cross Site Scripting
>>Vulnerability
>>Release Date: Feb 29,2004
>>Application: phpBB
>>Platform: PHP
>>Version Affected: the lastest version
>>Vendor URL: http://www.phpbb.com/
>>Discover: Cheng Peng Su(apple_soup_at_msn.com)
>>################################################
>>
>>Details:
>>~ This vuln is similar to Arab VieruZ's advisory 'XSS bug in
>>phpBB',this time the problem is not in 'highlight' ,but in
>>'postorder'.we can inject HTML code,such code could be used to steal
>>cookie information.
>
>
>
> exactly what version is this? they've released a new one as of March 01.
>
> http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=177594
>
> new version is 2.0.6d.
>
> -d
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
--
Milan 't4c' Berger
Network & Security Administrator
21073 Hamburg
gpg: http://www.ghcif.de/keys/t4c.asc
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]