Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web BBS :: etc :: bt853.txt

DcForum+ XSS Vulnerability

ZH2003-21SA (security advisory): DcForum+ XSS Vulnerability

Published: 10 august 2003

Released: 10 august 2003

Name: DcForum+

Affected Systems: 1.2

Issue: Remote attackers can inject XSS script





Zone-h Security Team has discovered a flaw in 

DcForum+ 1.2  (and older versions?). DcForum+ is a very user friendly 

bulletin board program that utilitzes mySQL server on the backend and

PHP on the front end.




It's possibile to inject XSS script in the subject variable.

For example try this:

Your Name: Zone-h Security Team

Your Email:

Your Subject: <script>alert(Zone-h)</script>

Your Message:



The vendor has been contacted and a patch was produced.



Filter the subject variable.

G00db0y - admin

Original advisory here:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH