Phorum register.php Username Field XSS

2005-09-01T05:43:51
ID OSVDB:19155
Type osvdb
Reporter Scott Dewey(wr0ck.lists@gmail.com)
Modified 2005-09-01T05:43:51

Description

Vulnerability Description

Phorum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user-supplied input in the 'Username' field upon submission to the 'register.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to version 5.0.18a or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Phorum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user-supplied input in the 'Username' field upon submission to the 'register.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://www.phorum.org Secunia Advisory ID:16667 Related OSVDB ID: 19156 Related OSVDB ID: 19157 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-09/0048.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-09/0018.html ISS X-Force ID: 22107 CVE-2005-2836 Bugtraq ID: 14726