PHPDeveloper: PHP News, Views and Community

Subscribe

@phpdeveloper.org

News Archive

Community News: Latest PECL Releases (06.17.2025)

Community News: Latest PECL Releases (06.10.2025)

Community News: Latest PECL Releases (06.03.2025)

Community News: Latest PECL Releases (05.27.2025)

Community News: Latest PEAR Releases (05.26.2025)

Community News: Latest PECL Releases (05.20.2025)

Community News: Latest PECL Releases (05.13.2025)

Community News: Latest PECL Releases (05.06.2025)

Community News: Latest PECL Releases (04.29.2025)

Community News: Latest PECL Releases (04.22.2025)

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

John Cox's Blog:
PHP-Nuke / phpBB XSS Exploit

byChris Cornutt Jun 27, 2005 @ 12:48:55

John Cox has posted over on Wyome.com (his blog) some inforamtion about yet another PHP-Nuke/phpBB XSS exploit.

I don't need to be able to read Spanish to know there is another XSS exploit in PHP-Nuke via the phpBB avatar system. Discussing PHP-Nuke XSS exploits is about as pointless as discussing the color of the sky. They will continue to be found as there is not audit proceedure in place, and the sky will continue to be blue.

The exploit is that PHP-Nuke allows the avatar for a registered user to be pulled from an external source, opening up all sorts of code injection issues. Their sugguestion as of right now for a fix? Turn off the avatar system.

tagged:

Link: