PHP-Nuke "off-site Avatar" Script Insertion Vulner - Website Hosting - VPS Hosting - Domain Registration Ireland :: Blacknight

niall · #1 (**permalink**) 30-06-05, 10:50 AM

Input passed to the "Link to off-site Avatar" field isn't properly sanitised before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session.
Successful exploitation requires that the "Enable remote avatars" setting is enabled (disabled by default).

Anonymous · #2 (**permalink**) 22-07-05, 10:33 PM

Have to say I'm inpressed at this forum. A lot of hosting companies don't bother to inform clients of issues with Third Party PHP scripts etc.

Take Hosting 365.ie - they take your money and run!!

niall · #3 (**permalink**) 28-07-05, 09:09 AM

Thanks!

We can't cover all 3rd party scripts, but we'll post notices about any scripts that can be installed automatically (see http://www.blacknight.ie/installatron.0.html)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Gallery EXIF Data Script Insertion Vulnerability	niall	Security Notices	0	26-08-05 09:58 AM
Coppermine Photo Gallery EXIF Data Script Insertion	niall	Security Notices	0	22-08-05 09:23 AM
phpBB BBcode "url" Script Insertion Vulnerability	niall	Security Notices	0	28-07-05 08:47 AM