[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ZH2003-21SA (security advisory): DcForum+ XSS Vulnerability
- To: bugtraq@securityfocus.com
- Subject: ZH2003-21SA (security advisory): DcForum+ XSS Vulnerability
- From: G00db0y <G00db0y@zone-h.org>
- Date: 10 Aug 2003 17:12:22 -0000
ZH2003-21SA (security advisory): DcForum+ XSS Vulnerability
Published: 10 august 2003
Released: 10 august 2003
Name: DcForum+
Affected Systems: 1.2
Issue: Remote attackers can inject XSS script
Author: G00db0y@zone-h.org
Vendor: http://www.dcscripts.com/dcforump.shtml
Description
***********
Zone-h Security Team has discovered a flaw in
DcForum+ 1.2 (and older versions?). DcForum+ is a very user friendly
bulletin board program that utilitzes mySQL server on the backend and
PHP on the front end.
Details
*******
It's possibile to inject XSS script in the subject variable.
For example try this:
Your Name: Zone-h Security Team
Your Email: test@test.com
Your Subject: <script>alert(Zone-h)</script>
Your Message: Zone-h.org
Solution:
*********
The vendor has been contacted and a patch was produced.
Suggestions:
************
Filter the subject variable.
G00db0y - www.zone-h.org admin
Original advisory here: http://www.zone-h.org/en/advisories/read/id=2865/