90
phpBB viewtopic.php cross site scripting
CGI
2004/03/23
Marc Ruef
marc dot ruef at computec dot ch
http://www.computec.ch
computec.ch
Marc Ruef
marc dot ruef at computec dot ch
http://www.computec.ch
computec.ch
2004/11/14
2.0
Corrected the plugin structure and added the accuracy values in 1.2. Improved the pattern matching and introduced the plugin changelog in 2.0
tcp
80
open|send GET /viewtopic.php?t=10&postdays=99atk HTTP/1.0\n\n|sleep|close|pattern_exists HTTP/#.# ### *atk*
99
There is a similar check done in ATK plugin id 91.
http://www.securityfocus.com/archive/1/357401
phpBB Group phpBB 2.0 to 2.0.6
phpBB Group phpBB newer than 2.0.6 and other web boards
Cross Site Scripting
The remote host is running phpBB. There is a cross site scripting vulnerability in the files ViewTopic.php and ViewForum.php
Upgrade to the latest version of this software and limit unwanted connections and communications with firewalling.
1 hour
Yes
http://www.securityfocus.com/bid/9865/exploit/
Yes
Yes
Medium
8
8
8
8
Serious
Nessus is able to do the same check.
9865
12093
Hacking Exposed: Network Security Secrets & Solutions, Stuart McClure, Joel Scambray and George Kurtz, February 25, 2003, 4th Edition, McGraw-Hill Osborne Media, ISBN 0072227427
http://www.computec.ch
