TUCoPS :: Web BBS :: etc :: bt156.txt

Phorum - A Phorum's bug...


I have founded a bug in Phorum (

It is possible to inject script code or other html-tag into "subject",

"author's name" or "author's e-mail" of a message in Phorum.

In the subject (name, e-mail) input of message you need to write any

html-tag like this:


I have tested it on Phorum 3.4.1 but probably works in other Phorum 3.x.x



WiciU, Poland

