| VID |
21319 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The phpBB installed on the Web server has multiple Cross-Site Scripting Vulnerabilities.
The phpBB is a open-source bulletin board software package, which uses MySQL, MS-SQL, PostgreSQL or Access/ODBC database. The version 2.0.8 and possibly earlier versions of phpBB are vulnerable to multiple Cross-Site Scripting Vulnerabilities in the 'lang_faq.php', 'lang_bbcode.php', and 'index.php' scripts, caused by a failure of the application to properly sanitize user-supplied URI input. A remote attacker could create a specially crafted URL link with these scripts containing malicious script, and then could persuade a target user to click it. Once the URL is clicked, the embedded codes would be executed in the victim's Web browser. A remote attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
* References:
http://archives.neohapsis.com/archives/bugtraq/2004-07/0170.html
* Platforms Affected:
phpBB 2.0.8
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of phpBB (2.0.10 or later) from the phpBB Downloads Web page at http://www.phpbb.com/downloads.php |
| Related URL |
CVE-2004-0730 (CVE) |
| Related URL |
10738 (SecurityFocus) |
| Related URL |
16724,16725,16726 (ISS) |
|
