Multi Ethnic Hacking Group


    Phorum <= 5.2.11 Permanent Cross Site Scripting Vulnerabilities

    Share
    avatar
    Foxi
    Admin

    Posts : 92
    Reputation : -1
    Join date : 2009-07-08

    Phorum <= 5.2.11 Permanent Cross Site Scripting Vulnerabilities

    Post by Foxi on Thu Jul 23, 2009 4:33 am

    [code:1:0d24]//----- Advisory

    Program : Phorum 5.2.11 and prior
    Homepage : http://www.phorum.org/
    Discovery : 2009/07/16
    Author Contacted : 2009/07/17
    Found by : CrashFr
    This Advisory : CrashFr

    //----- Application description


    Started in 1998, Phorum was the original PHP and MySQL based Open Source
    forum software. Phorum's developers pride themselves on creating message
    board software that is designed to meet different needs of different web
    sites while not sacrificing performance or features.


    //----- Description of vulnerability


    Phorum's filtering engine insufficiently filters some BBcode arguments.
    Using the bbcode tags [color] and [size] it is possible to execute Javascript
    using expression CSS property.


    //----- Proof Of Concept


    When the user post the following bbcode :

    [color=#000000;xss:expression(alert(document

      Current date/time is Tue Jul 25, 2017 12:48 am