Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web BBS :: etc :: phpaxss.txt



Some of you may be familiar with Pafiledb provided by

PHP arena. Well they just released a new version that

fixed a problem with their counting of files. Along

with that they said they fixed a possible security bug

involving using Javascript as a search string. I

checked it on my old version and it is infact there, so

I updated to the new version so the bugs can be fixed

and I checked it and it no longer works. I figured

where there is one there are bound to be others so I

went searching.


I discoverd that there are three other XSS

vulnerabilities within the software wich can be

performed by editing the URL of three different sections.


* Rate File

* Email to Friend

* Download


* Stats


I discovered this by clicking at first the link to

email to a friend and then removed everything out of

the URL after &id=4 and added

?<script>alert('Testing')</script>" and just as i

expected it worked. I moved on to email to a friend the

same way and it worked and then I proceded to make the



and again it worked. I then decided to check stats and

to my surprise there it did not work.


I have not contacted php arena as of yet but i am about

to, hopefully since they fixed it in the search feild

all they should have to do is release the code or apply

it themselves and then come out with an update. Wich

shouldnt take long. I hope

Another XSS vulnerability provided by ersatz  :: A nice place to chill out and

learn something new

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH