SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Zorum Vendors:   PhpOutsourcing
Zorum Input Validation Flaw in 'method' Parameter Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1007471
SecurityTracker URL:  http://securitytracker.com/id/1007471
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 11 2003
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 3.4
Description:   Zone-h Security Team reported an input validation vulnerability in Zorum. A remote user can conduct cross-site scripting attacks. A remote user can also determine the installation path.

It is reported that the software does not filter HTML code from user-supplied input in the 'method' parameter before displaying the input as part of an error message. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Zorum software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/pathofzorum/index.php?method=<script>alert('test')</script>

It is also reported that a remote user can submit a malformed URL request using the 'method' parameter (or other parameters) to cause the server to disclose the installation path. A demonstration exploit URL is provided:

http://[target]/forum/index.php?method=userfunctions&'list=secmenu&

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Zorum software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can determine the installation path.

Solution:   The vendor has reportedly issued a patch.
Vendor URL:  zorum.phpoutsourcing.com/ (Links to External Site)
Cause:   Exception handling error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  ZH2003-22SA (security advisory): Zorum XSS Vulnerability and Path


ZH2003-22SA (security advisory): Zorum XSS Vulnerability and Path Disclosure


Published: 11 august 2003

Released: 11 august 2003

Name: Zorum

Affected Systems: v.3.4

Issue: Remote attackers can inject XSS script and know the path of the site.

Author: G00db0y@zone-h.org

Vendor: http://zorum.phpoutsourcing.com/

Description

***********

Zone-h Security Team has discovered a flaw in Zorum v3.4 (and older versions?).
"Zorum is a message board software, which may be used with equal success on both
intra- and internet sites."



Details

*******

It's possibile to inject XSS script in the method variable.

Example:

http://www.site.com/pathofzorum/index.php?method=<script>alert('test')</script>

It's possible to make a malformed http request for many variables in
Zorum and in doing so trigger an error. The resulting error message will disclose
potentially sensitive installation path information to the remote attacker.

Example:

http://zorum.phpoutsourcing.com/forum/index.php?method=userfunctions&'list=secmenu&



Solution:

*********

The vendor has been contacted and a patch was produced.


Suggestions:

************

Filter the method variable (xss problem), filter all variables.


G00db0y - www.zone-h.org admin

Original advisory here: http://www.zone-h.org/en/advisories/read/id=2867/

_____________________________________________________________
Get Free Email from http://mail.eforu.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC