FUDforum: Bug Reports » Cross-site scripting attacks

Home » FUDforum Development » Bug Reports » Cross-site scripting attacks

Show: Today's Messages :: Unread Messages :: Polls :: Message Navigator
| Subscribe to topic | Bookmark topic

Cross-site scripting attacks [message #167755]

Thu, 13 September 2012 10:46

mikrochip

Messages: 2
Registered: September 2012

Karma:

Junior Member

add to buddy list
ignore all messages by this user

Hi!

I've found a critical bug in FUDforum that can be used for a Cross-site scripting attack.
An attacker could generate a special prepared data-URL which contains a HTML document with java script code and put a link to it into a forum message. This code will be executed in the context of the forum domain if any user clicks at the link.
So with Ajax the script can read out the SQ or other data and do anything.

All versions of FUDforum (at least since 2.7.7) are affected. I think earlier versions than 2.7.7 will also be affected, but I did not try it out.
I think you should really disable data-URLs in hyperlinks.

Report message to a moderator

Rate author: +1 -1

[Message index]

		Cross-site scripting attacks By: mikrochip on Thu, 13 September 2012 10:46
		Re: FUDforum 3.0.4.1 released By: StephenKing on Sat, 15 September 2012 09:04
		Re: Cross-site scripting attacks By: naudefj on Sun, 16 September 2012 12:33
		Aw: Re: FUDforum 3.0.4.1 released By: mikrochip on Sun, 16 September 2012 19:22
		Re: Aw: Re: FUDforum 3.0.4.1 released By: naudefj on Tue, 18 September 2012 01:47
		Re: Aw: Re: FUDforum 3.0.4.1 released By: naudefj on Sat, 22 September 2012 10:52

Previous Topic:	Error with Googlebot / Invalid links
Next Topic:	Syntax error in code generated after adding {IF} to template

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Tue Jan 31 22:50:18 EST 2023

Total time taken to generate the page: 0.00785 seconds