Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » Cross-site scripting attacks
Show: Today's Messages :: Unread Messages :: Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Return to the default flat view Create a new topic Submit Reply
Cross-site scripting attacks [message #167755] Thu, 13 September 2012 10:46 Go to previous message
mikrochip   Germany
Messages: 2
Registered: September 2012
Junior Member
add to buddy list
ignore all messages by this user

I've found a critical bug in FUDforum that can be used for a Cross-site scripting attack.
An attacker could generate a special prepared data-URL which contains a HTML document with java script code and put a link to it into a forum message. This code will be executed in the context of the forum domain if any user clicks at the link.
So with Ajax the script can read out the SQ or other data and do anything.

All versions of FUDforum (at least since 2.7.7) are affected. I think earlier versions than 2.7.7 will also be affected, but I did not try it out.
I think you should really disable data-URLs in hyperlinks.
[Message index]
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Error with Googlebot / Invalid links
Next Topic: Syntax error in code generated after adding {IF} to template
Goto Forum:

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Tue Jan 31 22:50:18 EST 2023

Total time taken to generate the page: 0.00785 seconds