Phorum HTTP_REFERER and Other Input Validation Flaw Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1009433 |
|
SecurityTracker URL: http://securitytracker.com/id/1009433
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: May 19 2004
|
Original Entry Date: Mar 15 2004
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 5.0.3 Beta and prior versions
|
Description:
Some input validation vulnerabilities were reported in Phorum in the 'register.php', 'login.php', and 'profile.php' scripts. A remote user can conduct cross-site scripting attacks.
JeiAr of the GulfTech Security Research Team reported that several scripts do not properly filter HTML code from user-supplied input before displaying the information. The software will filter the '<script></script>' tag but fails to filter other forms of scripting code, the report said. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Phorum software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Some demonstration exploit URLs are provided:
login.php?HTTP_REFERER=[XSS]
register.php?&HTTP_REFERER=[XSS]
profile.php?id=2&action=edit&target=[XSS]
The vendor has reportedly been notified.
The advisory is available at:
http://www.gulftech.org/03152004.php
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Phorum software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
The vendor is reportedly working on a fix to be available shortly.
|
Vendor URL: www.phorum.org/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 15 Mar 2004 16:09:32 -0500
Subject: http://www.gulftech.org/03152004.php
|
http://www.gulftech.org/03152004.php
Phorum 5.0.3 Beta And Earlier XSS Vulnerabilities March 15, 2004
Vendor : Phorum
URL : http://www.phorum.org
Version : Phorum 5.0.3 Beta && Earlier
Risk : Cross Site Scripting
Description:
Phorum is a web based message board written in PHP. Phorum is designed with
high-availability and visitor ease of use in mind. Features such as mailing list
integration, easy customization and simple installation make Phorum a powerful add-in to
any website.
Problem:
Phorum have pached a good number of XSS (Cross Site Scripting) issues in the past, but
there is still some work to be done regarding these issues before the final release of
Phorum Version 5. The first issue I am going to talk about lies in "login.php" If you look
at the HTML source code you should see two hidden variables. One called "f" which
specifies the forum id, and one called "target" which specifies the location to take the
user after they login. Unfortunately both of these values are taken directly from the
value of HTTP_REFERER without any validation. While there is a global script in forum that
checks for the <script> tag, it will allow for pretty much any thing else, and most of you
know it is not hard to execute javascript inside of a tag which is allowed. This same
vulnerability also exists in "register.php" And while not the exact same, a similar
problem to these two exists in "profile.php" also. Below are some examples.
login.php?HTTP_REFERER=[XSS]
register.php?&HTTP_REFERER=[XSS]
profile.php?id=2&action=edit&target=[XSS]
Solution:
The vendor was contacted and immeadiately responded, and will be releasing a fix soon.
Thanks to Brian Moon and the rest of the forum dev team for such a quick response. It is
appreciated.
Credits:
Credits go to JeiAr of the GulfTech Security Research Team.
|
|
