phpBB admin_styles.php Theme Name Field XSS

2006-03-31T07:32:39
ID OSVDB:24356
Type osvdb
Reporter Preddy(lil.turk@email.com)
Modified 2006-03-31T07:32:39

Description

Vulnerability Description

phpBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Theme Name' field upon submission to the admin_styles.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

phpBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Theme Name' field upon submission to the admin_styles.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://www.phpbb.com/ Related OSVDB ID: 24357 Related OSVDB ID: 24353 Related OSVDB ID: 24354 Related OSVDB ID: 24355 Other Advisory URL: http://osvdb.org/ref/24/24353-phpbb.txt CVE-2006-1775