# phpBB viewtopic.php script allows cross-site scripting: Mar 1



## eddie5659 (Mar 19, 2001)

Hiya

phpBB is a free open-source Web bulletin board software package. phpBB version 2.0.6c is vulnerable to cross-site scripting, caused by a improper filtering of user-supplied input in the viewtopic.php script. A remote attacker could embed malicious code in the postorder variable in a specially-crafted URL request to the viewtopic.php script, which would be executed in the victim's Web browser within the security context of the hosting site, once the link is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Platforms Affected:

kernel.org Linux Any version 
Microsoft Corporation Windows Any version 
phpBB Group phpBB 2.0.6c 
Various Unix Any version 
Remedy:

No remedy available as of March 2004.

Consequences:

Gain Access

http://xforce.iss.net/xforce/xfdb/15348

Regards

eddie


----------

