<<< Date Index >>>     <<< Thread Index >>>

Re: XSS vulnerability in phpBB (an other ;-)



keupon_ps2@xxxxxxxx said:

>but this will work (on phbb 2.0.6):
>[url=http://www.google.fr"; onclick="alert('Hello')]text[/url]
>
>I don't remeber who has said that it will work on every version of phpBB
>but i've tested it on phpBB 2.0.4 and it doesn't work.
>An other person has said that it only works with this code:
>[url=http://www.google.fr"; onclick="alert('Hello');"]text[/url]
>I've tested it on 2.0.6 and it works but the code without the ;" works
>also.

These discrepancies might be due to differences in how web browsers
render "bad" HTML, rather than a quirk in phpBB.

Since the first example URL doesn't have a closing double-quote
character in the onclick value, some browsers may ignore it
altogether.

It seems likely that some types of XSS-style attacks would only work
in certain web browsers.

Which browsers (and versions) were used when testing this bug?

- Steve