Package: phpbb2 Version: 2.0.13-6sarge2 Severity: normal Seen at http://www.osvdb.org/22928. Their description is:
phpBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'smile_url' variable upon submission to the 'admin_smiles.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. I don't know much about phpbb. I tried the "Manual Testing Notes" urls they suggested, but it didn't work. But that is more likely because the forum I tried it on had the "disabled" flag set. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]