FUDforum: Bug Reports » Cross-site scripting attacks

Home » FUDforum Development » Bug Reports » Cross-site scripting attacks

Show: Today's Messages :: Polls :: Message Navigator

Cross-site scripting attacks [message #167755]

Thu, 13 September 2012 14:46

mikrochip

Messages: 2
Registered: September 2012

Karma:

Junior Member

Hi!

I've found a critical bug in FUDforum that can be used for a Cross-site scripting attack.
An attacker could generate a special prepared data-URL which contains a HTML document with java script code and put a link to it into a forum message. This code will be executed in the context of the forum domain if any user clicks at the link.
So with Ajax the script can read out the SQ or other data and do anything.

All versions of FUDforum (at least since 2.7.7) are affected. I think earlier versions than 2.7.7 will also be affected, but I did not try it out.
I think you should really disable data-URLs in hyperlinks.

Report message to a moderator

[Message index]

		Cross-site scripting attacks By: mikrochip on Thu, 13 September 2012 14:46
		Re: FUDforum 3.0.4.1 released By: StephenKing on Sat, 15 September 2012 13:04
		Re: Cross-site scripting attacks By: naudefj on Sun, 16 September 2012 16:33
		Aw: Re: FUDforum 3.0.4.1 released By: mikrochip on Sun, 16 September 2012 23:22
		Re: Aw: Re: FUDforum 3.0.4.1 released By: naudefj on Tue, 18 September 2012 05:47
		Re: Aw: Re: FUDforum 3.0.4.1 released By: naudefj on Sat, 22 September 2012 14:52

Previous Topic:	Error with Googlebot / Invalid links
Next Topic:	Syntax error in code generated after adding {IF} to template

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sun Apr 28 16:34:07 GMT 2024

Total time taken to generate the page: 0.04003 seconds