SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   FuseTalk Vendors:   FuseTalk Inc.
FuseTalk Grants Remote Users Access to 'banning' Template
SecurityTracker Alert ID:  1010080
SecurityTracker URL:  http://securitytracker.com/id/1010080
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 6 2004
Impact:   Disclosure of user information, Modification of user information
Exploit Included:  Yes  
Version(s): 4.0
Description:   An input validation vulnerability was reported in FuseTalk. A remote user can access an administrative template.

Stuart Jamieson reported that unpatched releases of version 4.0 allow a remote user to access the 'banning.cfm' template and ban other users.

It is also reported that in version 2.0 (and possibly other versions), a remote authenticated user can pass parameters to the 'adduser.cfm' administration template via an HTTP GET statement. A remote user can create a URL that, when loaded by an authenticated target administrator, will cause a new account to be created. A demonstration exploit URL is provided:

http://[target]/admin/adduser.cfm?FTVAR_FIRSTNAMEFRM=God&FTVAR_LASTNAMEFRM=God
&FTVAR_EMAILADDRESSFRM=Attacker@acker.com&FTVAR_USERNAMEFRM=attacker&FTVAR_PASSWORDFRM=coolpass
&FTVAR_PASSWORD2FRM=coolpass&FTVAR_USERFORUMSFRM=0&FTVAR_USERTYPEFRM=g
&FTVAR_USERLEVELFRM=0&FTVAR_STATUSFRM=1&FTVAR_CITYFRM=&FTVAR_STATEFRM=70
&FTVAR_COUNTRYFRM=36&FTVAR_SCRIPTRUN=self.close%28%29%3B&FTVAR_RETURNERROR=Yes
&FT_ACTION=adduser

The report indicates that this URL can be embedded within an '[img]' image tag so that when an authenticated target administrator views the image, the URL will be executed by the target user's browser.

Impact:   A remote user can gain access to the 'banning.cfm' administrative template.
Solution:   The report suggests that a patch is available from the vendor to correct the 'banning.cfm' access flaw.
Vendor URL:  www.fusetalk.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Fuse Talk Vunerabilities




As well as well known XSS vunerabilities the latest version 4.0 seems to have some other issues.

Unpatched releases of V4.0 allow the user to access the Template banning.cfm without any administrative privleages. All users of the
 software should check with fusetalk.com for the latest security patches to prevent this being misused.

Access to this template allows any user to ban any other users and seems to be particularly vunerable. Fortunately it does not affect
 the administration templates, merely the moderation ones so the chances of an attacker gaining higher levels of access seem unlikely.

Another issue seems to exist which I have only so far tested on Version 2.0 and am unsure if this also occurs in V3-4, it appears
 that within the administration templates adduser.cfm allows parameters to be passed by a get statement rather than a post statement.

This potential vunerability could allow a hostile to create a new account by tricking some other person with moderator powers. Although
 it may seem obvious that a link to 
http://www.victim.com/admin/adduser.cfm?FTVAR_FIRSTNAMEFRM=God&FTVAR_LASTNAMEFRM=God&FTVAR_EMAILADDRESSFRM=Attacker@acker.com&FTVAR_USERNAMEFRM=attacker&FTVAR_PASSWORDFRM=coolpass&FTVAR_PASSWORD2FRM=coolpass&FTVAR_USERFORUMSFRM=0&FTVAR_USERTYPEFRM
=g&FTVAR_USERLEVELFRM=0&FTVAR_STATUSFRM=1&FTVAR_CITYFRM=&FTVAR_STATEFRM=70&FTVAR_COUNTRYFRM=36&FTVAR_SCRIPTRUN=self.close%28%29%3B&FTVAR_RETURNERROR=Yes&FT_ACTION=adduser
would create a new account, if the adress is hidden within an image tag [img][/img] then the event will fire the creation of the account
 when the administrators web browser attempts to download the image.

This could be extended by the variable FTVAR_SCRIPTRUN=self.close which even in not creating an account would be capable running malicious
 javascript when an administrative user attempted to follow the link.

Since fusetalk relies nearly entirely on POST based data the best fix for this is to restrict posting of data by a GET statement.




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC