phpBB 2.0.21 privmsg.php Cross-Site Request Forgery and XSS
You are here:  SillyDog701 > Message Centre > General Computing and Tech > [sdt=12512]
SillyDog701 Forums
Author Message
J-M
diamond member


Joined: 25 Jul 2004
Posts: 777
Location: Helsinki, Finland
08 Dec, 2006 4:13 pm phpBB 2.0.21 privmsg.php Cross-Site Request Forgery and XSS [sdp=80227]  
The following security advisory has been released from Secunia:
phpBB privmsg.php Cross-Site Request Forgery and Cross-Site Scripting

From the new advisory:

Quote:
Critical: Less critical
Impact: Cross Site Scripting
Where: From remote
Solution Status: Unpatched


What the description says:
Quote:

1) The application allows users to send messages via HTTP requests without performing any validity checks to verify the request.
etc.

and
Quote:

2) Input passed to the form field "Message body" in privmsg.php is not properly sanitised before it is returned to the user when sending messages to a non-existent user.
etc.

I.e. the second flaw is typical cross-site scripting (XSS) issue.
The report says that the latest version 2.0.21 is affected.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8
Last edited by J-M on 08 Dec, 2006 4:17 pm; edited once(1)
Back to top profile website
Antony
Site Admin


Joined: 18 Jun 2002
Posts: 12754
Location: Sydney, Australia
08 Dec, 2006 4:28 pm [sdp=80229]  
Thanks J-M,

I will keep an eye on this issue.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
MozInfo701 | MacCentre701 | AntBlog701 | don't steal music.
Back to top profile website
J-M
diamond member


Joined: 25 Jul 2004
Posts: 777
Location: Helsinki, Finland
11 Dec, 2006 9:10 am [sdp=80360]  
Thanks for keeping the system secure.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8
Back to top profile website
Display posts from previous:   
Reply to topic    Forum Index > General Computing and Tech All times are CST (GMT -6)
page 1 of 1
To add your questions, comments, and for more features and more, please join SillyDog701 Message Centre. It's free! This is SillyDog 701 Message Centre (SD701 Forums).

Pirates of the Caribbean - at World s End You can support SillyDog701 when you buy your favourite music, TV shows, movies from iTunes Store. You can even rent movies from iTunes Store.

*Search | FAQ | Rules and Policies | MozInfo701 - Mozilla Information Centre | SD701 Open Directory | Message Board Map | download Netscape