Written by Dante90
Friday, 13 March 2009 23:59
RETIRED: phpBB 'ucp.php' Cross Site Scripting Vulnerability
Input Validation Error
Mar 04 2009 12:00AM
Mar 13 2009 03:26PM
phpBB Group phpBB 3.0.4
phpBB Group phpBB 3.0.3
phpBB Group phpBB 3.0.2
phpBB Group phpBB 3.0.1
phpBB Group phpBB 3.0
phpBB is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue affects phpBB 3.x; other versions may also be affected.
UPDATE (March 13, 2009): This BID is being retired because the issue cannot be exploited as described.
To exploit this issue, an attacker must entice an unsuspecting user into following a malicious URI.
The following example URI is available:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at:
UPDATE (March 13, 2009): This BID is being retired as the issue can not be exploited as described.
http://www.phpbb.com (phpBB Group)