FUDforum - خوراک RDF
http://fudforum.org/forum/index.php
Cross-site scripting attacks
http://fudforum.org/forum/index.phpindex.php?t=rview&goto=167755&th=120592#msg_167755
I've found a critical bug in FUDforum that can be used for a Cross-site scripting attack.
An attacker could generate a special prepared data-URL which contains a HTML document with java script code and put a link to it into a forum message. This code will be executed in the context of the forum domain if any user clicks at the link.
So with Ajax the script can read out the SQ or other data and do anything.
All versions of FUDforum (at least since 2.7.7) are affected. I think earlier versions than 2.7.7 will also be affected, but I did not try it out.
I think you should really disable data-URLs in hyperlinks.]]>mikrochip2012-09-13T14:46:23-00:00Re: FUDforum 3.0.4.1 released
http://fudforum.org/forum/index.phpindex.php?t=rview&goto=167767&th=120592#msg_167767
StephenKing2012-09-15T13:04:30-00:00Re: Cross-site scripting attacks
http://fudforum.org/forum/index.phpindex.php?t=rview&goto=167768&th=120592#msg_167768
If you don't want to respond to my private mail, please post it here so it can be validated and fixed.
]]>naudefj2012-09-16T16:33:21-00:00Aw: Re: FUDforum 3.0.4.1 released
http://fudforum.org/forum/index.phpindex.php?t=rview&goto=167769&th=120592#msg_167769
StephenKing schrieb am Sat, 15 September 2012 09:04
You've already heard of responsible disclosure?
I'm sorry. It's the first vulnerability I ever found and I did not really know how to react. I was a little bit nerveous and didn't think enough about my practice.]]>mikrochip2012-09-16T23:22:01-00:00Re: Aw: Re: FUDforum 3.0.4.1 released
http://fudforum.org/forum/index.phpindex.php?t=rview&goto=167772&th=120592#msg_167772
naudefj2012-09-18T05:47:03-00:00Re: Aw: Re: FUDforum 3.0.4.1 released
http://fudforum.org/forum/index.phpindex.php?t=rview&goto=167786&th=120592#msg_167786
http://fudforum.svn.sourceforge.net/fudforum/?rev=5545&view=rev]]>naudefj2012-09-22T14:52:04-00:00