SillyDog701

[J-M]

The following security advisory has been released from Secunia:
phpBB privmsg.php Cross-Site Request Forgery and Cross-Site Scripting

From the new advisory:

Critical: Less critical
Impact: Cross Site Scripting
Where: From remote
Solution Status: Unpatched

What the description says:

1) The application allows users to send messages via HTTP requests without performing any validity checks to verify the request.

etc.

and

2) Input passed to the form field "Message body" in privmsg.php is not properly sanitised before it is returned to the user when sending messages to a non-existent user.

etc.

I.e. the second flaw is typical cross-site scripting (XSS) issue.
The report says that the latest version 2.0.21 is affected.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8

[Antony]

Thanks J-M,

I will keep an eye on this issue.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0

[J-M]

Thanks for keeping the system secure.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8