Home page logo

bugtraq logo Bugtraq mailing list archives

ZH2003-21SA (security advisory): DcForum+ XSS Vulnerability
From: G00db0y <G00db0y () zone-h org>
Date: 10 Aug 2003 17:12:22 -0000

ZH2003-21SA (security advisory): DcForum+ XSS Vulnerability

Published: 10 august 2003

Released: 10 august 2003

Name: DcForum+

Affected Systems: 1.2

Issue: Remote attackers can inject XSS script

Author: G00db0y () zone-h org

Vendor: http://www.dcscripts.com/dcforump.shtml



Zone-h Security Team has discovered a flaw in 
DcForum+ 1.2  (and older versions?). DcForum+ is a very user friendly 
bulletin board program that utilitzes mySQL server on the backend and
PHP on the front end.


It's possibile to inject XSS script in the subject variable.

For example try this:

Your Name: Zone-h Security Team

Your Email: test () test com

Your Subject: &lt;script&gt;alert(Zone-h)&lt;/script&gt;

Your Message: Zone-h.org



The vendor has been contacted and a patch was produced.



Filter the subject variable.

G00db0y - www.zone-h.org admin

Original advisory here: http://www.zone-h.org/en/advisories/read/id=2865/

  By Date           By Thread  

Current thread:
  • ZH2003-21SA (security advisory): DcForum+ XSS Vulnerability G00db0y (Aug 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]