Re: SMF "index.php?action=pm" Cross Site-Scripting

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: SMF "index.php?action=pm" Cross Site-Scripting
From: grudge@xxxxxxxxxxxxxxxxxx
Date: 2 Feb 2007 12:16:11 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

We intend to release a patch for this and a few other reported bugs within the 
next day or two (We need to complete testing on it).

Note that this is an extremely difficult exploit to achieve. It requires a user 
to follow a link posted by someone else to "Send a PM" with some HTML entities 
within the query string and then (I believe) to hit submit at least once. I 
would hope that the chances of anyone falling for such a exploit would be 
extremely low indeed!

Prev by Date: Re: strange behavior on Cisco 2801
Next by Date: Sourceforge compromized?
Previous by thread: Re: Re: Re: Re: SMF "index.php?action=pm" Cross Site-Scripting
Next by thread: XSS in 212cafeBoard ( Verision 0.08 & 6.30 Beta )
Index(es):
- Date
- Thread