SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Forum/Board/Portal)  >   Snitz Forums Vendors:   Snitz Communications
Snitz Forums 2000 Input Validation Flaw in 'register.asp' Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1010524
SecurityTracker URL:  http://securitytracker.com/id/1010524
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 18 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.4.04 and possibly prior versions
Description:   An input validation vulnerability was reported in Snitz Forums 2000. A remote user can conduct cross-site scripting attacks.

Pete Foster of Sec-Tec reported that 'register.asp' script does not properly filter the e-mail address field to remove HTML code.

A remote user can submit a specially crafted e-mail address value during registration. Then, when a target user attempts to click on a link to send e-mail to the newly registered user, arbitrary scripting code will be executed by the target user's browser. The code will originate from the site running the Snitz Forums software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit value is provided:

p@p" onMouseOver="alert(document.cookie);

The vendor was reportedly notified on May 6, 2004.

The original advisory is available at:

http://www.sec-tec.co.uk/vulnerability/snitzxss.html

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Snitz Forums software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has provided a fix, described at:

http://forum.snitz.com/forum/topic.asp?TOPIC_ID=53360

Vendor URL:  forum.snitz.com/forum/topic.asp?TOPIC_ID=53360 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  XSS in Snitz Forum 2000


Sec-Tec Advisory - XSS in Snitz Forums 2000

The most up to date version of this advisory can always be found at:
www.sec-tec.co.uk/vulnerability/snitzxss.html

Advisory creation date:	6th May 2004
Product:		Snitz Forums 2000
Tested version:		3.4.04 (older versions believed to be affected also)
Vulnerability:		XSS
Discoverd by:		Pete Foster - Sec-Tec Ltd (www.sec-tec.co.uk)

Product:
Snitz Forums 2000 is an interactive discussion environment that allows
different people on the Internet or an Intranet to leave messages for each
other, and then reply.

Description:
When registering a new account the register.asp script fails to properly
sanitize the E-mail address (Email) field.  An attacker can enter specially
crafted strings into this field that can allow him to launch cross-site
scripting (XSS) attacks.  Successful exploitation of this could lead to the
theft of sensitive information, such as valid session details.

Affected object:
register.asp

POC Exploit:
When registering a new account (or ammending an existing one), enter the
following as an email address:
p@p" onMouseOver="alert(document.cookie);

When a user then follows a link to send the attacker an email, the script
code is executed.


Fix:
The Email field should be filtered to remove dangerous characters.

The vendor has given details that fixes the symptoms.

--- Vendor quote ---

On line #184 of pop_mail.asp:

Change this:  rs("M_EMAIL")

To this:  chkString(rs("M_EMAIL"),"display")

--- End vendor quote ---

Vendor fix details can also be found at:
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=53360


Release timeline:
Vulnerability discovered:	April 29th 2004
Vendor notified:		May 6th 2004
Vendor response:		June 11th 2004
Public release:			June 16th 2004

If using this document, please link to:
http://www.sec-tec.co.uk/vulnerability/snitzxss.html



__________________________________________________________________________
The contents of this e-mail are confidential and are intended solely for
the use of the person to whom they are addressed.  If you are not the
intended recipient of this message please notify the sender and delete it
immediately, disclosure of its content to any other person is prohibited
and may be unlawful.  Sec-Tec does not accept any responsibility for
viruses and it is your responsibility to scan the e-mail and attachments.
Any liability arising from any third party acting on information contained
in this e-mail is hereby excluded.
--------------------------------------------------------------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC