SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   XMB Forum Vendors:   Xmbforum.com
XMB Forum (Partagium) Input Validation Hole in 'member.php' Allows Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1006816
SecurityTracker URL:  http://securitytracker.com/id/1006816
CVE Reference:   CVE-2003-0375   (Links to External Site)
Updated:  Jan 21 2004
Original Entry Date:  May 22 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 1.8 Final Edition SP1
Description:   A vulnerability was reported in the XMB Forum (Partagium) message forum software. A remote user can conduct cross-site scripting attacks.

It is reported that the 'member' field of the 'member.php' script does not properly filter user-supplied input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the XMP Forum software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/forum/member.php?action=viewpro&member=%3Cdiv%3E%3Cfont%20color=%22red%22%3EMarc%3C/font%3E%3Cscript%3Ealert(%22Ruef%22);%3C/scri

The vendor has reportedly been notified without response.

Lotek is credited with discovering this flaw.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the XMB Forum software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.

[Editor's note: The vendor has released XMB 1.8 Final Edition Partagium SP 2 that contains a "patch to prevent HTML Injection Vulnerability," however, it is not clear if the referenced patch fixes this flaw or not. We have asked the vendor for clarification.]

Vendor URL:  www.xmbforum.com/home/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] XMB 1.8 Partagium cross site scripting vulnerability


Hi!

Lotek, a friend of mine, informed me about a cross site scripting bug[1]
in my XMBforum 1.8.x[2]:

http://www.computec.ch/forum/member.php?action=viewpro&member=%3Cdiv%3E%3Cfont%20color=%22red%22%3EMarc%3C/font%3E%3Cscript%3Ealert(%22Ruef%22);%3C/script%3E%3C/div%3E

I sent this information at Apr 25 2003 to sales@aventure-media.co.uk (I
have not found any other contact email on the web page) and suggested a
patch or update. After a week, nothing came back so I decided to send my
advisory to the Super Administrator of their own board. No reply too.

This bug still exists in XMB 1.8 Final Edition SP1, released after the
bugtraq posting "XMB 1.8 Partagium SQL Injection Bug" on Apr 22 2003
5:08PM[2]. It may be possible that other versions of the board (1.11,
1.6, and 1.8 beta) are also vulnerable.

An new updated version of the forum may be available at
http://www.xmbforum.com/download/#partagium - An upgrade, if available,
is recommended.

Bye, Marc

[1] http://www.cgisecurity.com/articles/xss-faq.shtml
[2] http://www.xmbforum.com
[3] http://www.securityfocus.com/archive/1/319411

-- 
Computer, Technik und Security                  http://www.computec.ch/

"Alle Technik ist ein faustischer Pakt mit dem Teufel."
           Neil Postman, US-amerikanischer Soziologe und Medienkritiker


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC