|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[sec-adv] phpBB Cross Site Scripting Vulnerability
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Tue Aug 19 2003 - 08:30:07 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TITLE:
phpBB Cross Site Scripting Vulnerability
READ ONLINE:
http://www.secunia.com/advisories/9567/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting
WHERE:
From remote
SOFTWARE:
phpBB 2.x
DESCRIPTION:
A vulnerability has been identified in phpBB allowing malicious
people to conduct Cross Site Scirpting attacks against users.
The problem exists if certain HTML tags like "<A>" is allowed in
postings. This allows malicious people to insert javascript event
handlers, which essentially can do the same as a script in a
"<SCRIPT>" tag.
Example:
<a href="javascript:evil_function();">My_Site</a>
SOLUTION:
The phpBB developers suggest some possible configuration changes:
http://www.phpbb.com/phpBB/viewtopic.php?t=127525
Secunia recommends that you disable HTML tags in postings.
REPORTED BY / CREDITS:
Marvin Massih
----------------------------------------------------------------------
Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +45 7020 5144
Fax : +45 7020 5145
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]