Home page logo

bugtraq logo Bugtraq mailing list archives

[Advisory] phpBB 1.4.4 still suffers from Cross Site Scripting Vulnerability
From: "Florian Hobelsberger / BlueScreen" <genius28 () gmx de>
Date: Wed, 27 Mar 2002 01:08:34 +0100

- ------------------------------------------------------------
itcp advisory 5 advisories () it-checkpoint net
March  21th, 2002
- ------------------------------------------------------------

phpBB 1.4.4 still suffers from Cross Site Scripting Vulnerability
- -------------------------

Affected program: phpBB 1.4.4
Vendor: www.phpBB.org
Vulnerability-Class: Cross Site Scripting (CSS)
OS specific: No
Problem-Type: remote


After a similar bug was discovered in phpBB 1.4.2, the authors fixed the bug
with which JavaScript could inserted by using an [IMG] tag like:


But there is only a check when you post new messages. If you just edit an
existing message, you still can use this bug to insert JavaScript.


There is no check in the edit function of phpBB 1.4.4 wether javascript or
other unwanted code is written within IMG-tags.


Cookies can be stolen.
Hint: At the moment in bugtraq it is discussed what CSS can be used for.
Perhaps you should just visit one of the many Bugtraq-archives to learn
about the dangers of CSS-Vulnerabilities.


Create a new topic or answer to an existing one.
Then, after posting your message, click on the "edit button" and enter
anywhere in your posting:


After posting the message, you should see the contents of the cookie
matching to the site you are visiting at the moment.


Update to newer versions (phpBB2 seems not to be vulnerable) or just
implement a routine which checks if at the beginning of [IMG]-tags stands a

Vendor has not been contacted since newer Versions (at least phpBB2) seems
not to be vulnerable.

Bug discovered and published by tSR / Sascha Möke and BlueScreen / Florian
Hobelsberger from www.IT-Checkpoint.net

The information in this bulletin is provided "AS IS" without warranty of any
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special

BlueScreen / Florian Hobelsberger (UIN: 101782087)
BlueScreen () IT-Checkpoint net

Member of:

Bugreplace Technologies - We work for your Security
Sales Bureau Munich

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]