Re: Yabb XSS - or NOT
On 10 Aug 2006 04:13:34 -0000
Outlaw@xxxxxxxxxxxxxxxxx wrote:
> ####################### Software: YaBB
>
> #Attack method: Cross Site Scripting
> #
>
> #Proof of Concept:
>
> #index.php?action=faqmy&myfaq=yes&id_cat=1&categories=<script>alert("
> #xss")</script>
YaBB in both versions, 1.0 and 2.0/2.1 are PERL scripts, not PHP
(http://www.yabbforum.com/). Maybe you are talking about YabbSE (the
predecessor of SMF, if I remember correctly)?
Please post the correct name and VERSION number (plus company
or developer website) of the buggy software you found.
Thanks a lot!
Back to the topic: the YaBB forum scripts written in PERL are (of
course) not vulnerable to the PHP attack shown.
Bye
Volker.
--
Volker Tanger http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@xxxxxxx PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB