FUDforum: Bug Reports » Cross site scripting problem in admin login page

Home » FUDforum Development » Bug Reports » Cross site scripting problem in admin login page

Show: Today's Messages :: Polls :: Message Navigator

Cross site scripting problem in admin login page [message #7492]

Tue, 26 November 2002 12:05

Jimvin

Messages: 2
Registered: November 2002

Karma:

Junior Member

Hi,
I was checking out FUDForum for a friend who has recently installed it on his home PC and I have found a XSS problem in one of the pages. I went to the URL http://www.friendsserver.com/adm/index.php which take you to an login page.

If a login fails, the username tried is displayed in the textbox of the resulting page. Adding some special chars means that HTML, javascript etc. can be added to the page.

Example: The following string will display a javascript popup containing the user's cookie.

user" size=25> <script>alert(document.cookie)</script> <

The risk is mitigated to some degree in that certain special characters such as ' and " are escaped.Appologies if this has already been identified.

Cheers,
Jimvin

Report message to a moderator

[Message index]

		Cross site scripting problem in admin login page By: Jimvin on Tue, 26 November 2002 12:05
		Re: Cross site scripting problem in admin login page By: Ilia on Fri, 29 November 2002 14:53
		Re: Cross site scripting problem in admin login page By: Jimvin on Fri, 29 November 2002 19:43
		Re: Cross site scripting problem in admin login page By: zapal on Sat, 30 November 2002 17:16
		Re: Cross site scripting problem in admin login page By: Ilia on Sat, 30 November 2002 18:01

Previous Topic:	FUD Forum does not run well over SSL
Next Topic:	Member search disabled

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Fri Jan 31 23:47:30 GMT 2025

Total time taken to generate the page: 0.03295 seconds