N/A

Interpretation conflict in phpBB 2.0.17, with remote avatars and avatar uploading enabled, allows remote authenticated users to inject arbitrary web script or HTML via an HTML file with a GIF or JPEG file extension, which causes the HTML to be executed by a victim who views the file in Internet Explorer, which renders malformed image types as HTML, enabling cross-site scripting (XSS) attacks. NOTE: it could be argued that this vulnerability is due to a design flaw in Internet Explorer (CVE-2005-3312) and the proper fix should be in that browser; if so, then this should not be treated as a vulnerability in phpBB.

N/A

N/A

phpBB 头像上传HTML注入漏洞

phpBB是自由软件，也是开放源代码的网络论坛系统，使用PHP作为程式语言。 phpBB 2.0.17存在解释冲突。在启用远程头像和头像上传时，远程认证用户可以借助带有GIF或JPEG文件扩展名的HTML文件注入任意web脚本或HTML，使得在Internet Explorer中查看文件的受害者执行HTML，将畸形图像类型变为HTML，从而实现跨站脚本(XSS)攻击。注：可能有人认为此漏洞是由Internet Explorer的设计缺陷所致，应当在该浏览器中进行适当的修复；如果是这样的话，则此问题不应视为

N/A

N/A