“Yet Another Forum.net” is an open-source package that provides discussion forum for web sites. The package runs on ASP.NET and usually has MS SQL server as its backend database. The package’s source code, written in C#, is licensed as GPL and is available to the public.

Several Cross Site Scripting vulnerabilities were found in Yet Another Forum.net version 0.9.9. Any malicious users can insert malicious code into “name” and “location” fields and into the “Subject” field of the private message. Successful exploration can allow an attacker to execute malicious code, via the attacker’s web browser, on the vulnerable web site.

BSST's Suggestions:
1. Yet Another Forum.net version 0.9.9 users should consider upgrading their packages to version 1.0.1:
http://sourceforge.net/project/showfiles.php?group_id=90539
2. Watch pattern release notices from Broadweb and keep patterns up-to-date.

CREDITS:
The information has been provided by Maty Siman (maty_at_checkmarx.com)

Broadweb Security Service Team (BSST) - Empower Your Network Security Broadweb NetKeeper Intruder Prevention System delivers the protection against intrusion, worms, DDOS, Instant messaging, P2P, Web-Mail, and Web Post.
 
Note:
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty. Your use of this information on the document or materials linked from the document is at your own risk. BroadWeb reserves the right to update this document at any time.