Re: [Full-Disclosure] New phpBB ViewTopic.php Cross Site Scriptin g Vulnerability (with fix)

["t4c [Founder of GHCIF]" <t4c@xxxxxxxx>]

Its for 2.0.6c and above.
You can fix it using their fix or the one

http://www.ghcif.de/adv/phpbb206_viewtopic.txt

There's an PHPBB Announcment how to fix the hole.

greets
Milan

David Vincent wrote:
> > On 02/28/04 Cheng Peng Su released the following Advisory:
> >
> > ################################################
> > Advisory Name:New phpBB ViewTopic.php Cross Site Scripting 
> > Vulnerability
> > Release Date: Feb 29,2004
> > Application: phpBB
> > Platform: PHP
> > Version Affected: the lastest version
> > Vendor URL: http://www.phpbb.com/
> > Discover: Cheng Peng Su(apple_soup_at_msn.com)
> > ################################################
> >
> > Details:
> > ~    This vuln is similar to Arab VieruZ's advisory 'XSS bug in
> > phpBB',this time the problem is not in 'highlight' ,but in
> > 'postorder'.we can inject HTML code,such code could be used to steal
> > cookie information.
>
>
>
> exactly what version is this?  they've released a new one as of March 01.
>
> http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=177594
>
> new version is 2.0.6d.
>
> -d
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

--
Milan 't4c' Berger
Network & Security Administrator
21073 Hamburg

gpg: http://www.ghcif.de/keys/t4c.asc

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html