Ravens PHP Scripts

NSN Supporters Module Vulnerability
Date: Sunday, April 22, 2007 @ 01:33:04 PDT
Topic: Security


A vulnerability has been discovered in the NSN Supporters Module which, under some conditions may allow a hacker to conduct a successful XSS attack on affected sites.

The conditions required are either incorrectly set MIME TYPEs at server level or if the module is configured to allow upload of Supporter images.

With immediate effect:
If you are using this module, ensure you have not allowed image uploads.
A temporary fix is discussed here:
http://ravenphpscripts.com/postx13183-0-0.html




For obvious reasons, I have not detailed how the attack takes place but I am more than happy to discuss the matter by PM with any developers I know so they can fully test fixes etc.





This article comes from Ravens PHP Scripts
http://www.ravenphpscripts.com

The URL for this story is:
http://www.ravenphpscripts.com/modules.php?name=News&file=article&sid=2874