~ Summery : ------------------------------ Name : Tiny PHP forum v3.6 Software : http://sourceforge.net/projects/tinyphpforum/ Discovered by : Hessam-x (Hessam M.Salehi) - www.hessamx.net ~ Vulnerabilities : ------------------------------ I. Cross-site Scripting A.Input code to the "uname" in profile.php profile.php?action=view&uname=<script>alert("Xss")</script> B.input code in login name and login , in erorr page you can see xss code! II. Access to hash password This use very bad method for save hash password. user's password save in a file,for example admin's password saved in this file : http://localhost/tpforum/users/admin.hash Iran Hackerz Security Team , 2006-04-16
