SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Splatt Forum Vendors:   Splatt.it
Splatt Forum Web Bulletin Board Input Validation Flaw in Filtering Image Tags Lets Remote Users Conduct Cross-Site Scripting Attacks to Steal Other Users' Authentication Cookies
SecurityTracker Alert ID:  1004487
SecurityTracker URL:  http://securitytracker.com/id/1004487
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 7 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.0
Description:   A vulnerability was reported in the 'Splatt Forum' bulletin board software. A remote user can conduct cross-site scripting attacks.

A remote user can post a message that includes an [IMG] tag containing scripting. The image source must begin with 'http://'. However, the software does not filter the user-supplied input to ensure that the source address does not contain a closing quote ("). As a result, a remote user can insert scripting code. When a target (victim) user views the message, the scripting will be executed by the target user's browser. The code will originate from the web site running Splatt Forum and will run in the security context of that web site. The code will therefore be able to obtain any of the target user's cookies associated with that web site.

A demonstration exploit example is provided (place this code within a message posted to the site):

[img]http://a.a/a"onerror="javascript:alert(document.cookie)[/img]

According to the report, a similar flaw exists in remote avatar part of the user profile.

With a target user's authentication cookies, the remote user can gain access to the site as the target user. If the target user was an administrator, the remote user could gain administrative access to the application.

Impact:   A remote user can cause arbitrary scripting code to be executed on a target user's browser when the target user views a malicious message on the forum. The code will run in the security context of the web site running the forum software and will be able to access the target user's cookies associated with that site.
Solution:   The vendor has released a patch (to upgrade 3.0 to 3.1), available at:

http://www.splatt.it/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=101&ttitle=Fix%20upgrade%20splattforum%203.0%20-%203.1

Vendor URL:  www.splatt.it/modules.php?op=modload&name=Forums&file=index (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  Splatt Forum XSS


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerable systems:
 * Splatt Forum 3.0

Immune systems:
 * Splatt Forum 3.1

Splatt forum uses a user provided string (through the [IMG] tag) in
the following HTML tag: 
<img src="$user_provided" border="0" />

While there is a check to force the string to begin with "http://" it
doesn't disallow the symbol: ". This means that a malicious user can
escape the src="" in the HTML tag and insert his own HTML code. This
same problem also exists in the remote avatar part of the user
profile. 

Example:
Enter the following anywhere in a message: 
[img]http://a.a/a"onerror="javascript:alert(document.cookie)[/img] 

After that, anyone reading the message should see a popup with his
cookie.

Severity:
Malicious users can steal other users' and the administrator's
cookies. This would allow the attacker to impersonate other users on
the board and access to the administration panel. 

Solution:
Upgrade to the latest version of Splatt (version 3.1).
Download splatt from: www.splatt.it


p.s. LIKE the recent PHPBB2 bug, (I just copy and paste from
securiteam's phpbb advisory)



/*
 * Andreas Constantinides (MegaHz)
 * www.cyhackportal.com
 * www.megahz.org
 *
/*

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPP9dJkJeOgJQULK7EQKFAACfYC3RGv+o4nDYO+fUtqkljjD51MUAnAhE
XCAhzIEN5B9zN14s54P19N49
=ERD/
-----END PGP SIGNATURE-----



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC