phpBB Cross Site Scripting Vulnerability
Date: Wednesday, August 20 @ 10:00:00 CEST
Topic: Security


For those people operating phpBB with HTML enabled we have been notified by Marvin Massih of a possible cross site scripting issue. It will affect primarily those who have enabled the (anchor tag) but it may impact certain other tags too depending on what functionality they offer.

The problem occurs because users may enter "javascript:" within a given url ... which can of course be used to grab local cookie (for example) information from the client.

At this time we advise everyone with HTML enabled to remove the a tag from the list of allowed tags (Admin Panel -> General -> Configuration -> Allowed tags). There really is no reason to allow the anchor tag anyway, BBCode provides appropriate functionality for linking.
http://www.phpbb.com/phpBB/viewtopic.php?t=127525





This article comes from NukeCops
http://www.nukecops.com

The URL for this story is:
http://www.nukecops.com/modules.php?name=News&file=article&sid=526