SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Zorum Vendors:   PhpOutsourcing
Zorum Input Validation Holes in 'list' and 'frommethod' and Other Fields Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013365
SecurityTracker URL:  http://securitytracker.com/id/1013365
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 4 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 3.5
Description:   Benjilenoob reported an input validation vulnerability in Zorum. A remote user can conduct cross-site scripting attacks. A remote user may also be able to gain elevated privileges on the application.

A remote user can create a topic and insert HTML code in the title field. When a target user views the topic, the HTML code is properly filtered and does not execute. However, if the target user replies to the topic, the HTML code will be executed by the target user's browser. The code will originate from the site running the Zorum software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The 'list', 'method', and 'frommethod' parameters are not properly validated. A remote user can create a specially crafted URL that, when loaded by the target user, will execute arbitrary scripting code on the target user's system. Some demonstration exploit URLs are provided:

http://[target]/zorum_3_5/index.php?list="/><script>alert()</script>

http://[target]/zorum_3_5/index.php?method="/><script>alert()</script>

http://[target]/zorum_3_5/index.php?method=markread&list=zorumuser&fromlist=secmenu&frommethod="/><script>alert()</script>

[Editor's note: The flaw in the 'method' parameter was previously reported by Zone-h to affect version 3.4 as disclosed in Alert ID 1007471.]

A remote user can perform a search and insert scipting code in the 'Search in messages created by user' box to trigger an SQL error. If the system is configured with magic_quotes disabled, it may be possible to execute SQL commands on the underlying database. However, SQL command execution was not confirmed in the report.

If an administrative user has previously accessed the system, then a remote authenticated user can submit a specially crafted URL with a modified 'id' value
to perform certain functions with the privileges of the specified user. A demonstration exploit URL is provided:

http://[target]/zorum_3_5/index.php?method=modify_form&list=zorumuser&fromlist=secmenu&frommethod=userfunctions&id=[id]

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Zorum software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user may be able to gain elevated privileges on the application.

Solution:   No solution was available at the time of this entry.
Vendor URL:  zorum.phpoutsourcing.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Zorum 3.5


Zorum 3.5
_________
auteur: Benjilenoob
Team Hacktinium: www.hacktinium.com

faille XSS:
***********
date:18/12/2004
~~~~
Bon j'ai trouve une faille XSS dans le forum!
Il suffit de creer un topic et de mettre en titre 
"/><script>alert()</script>
a priori quand on li le sujet sa marche pas....
Mais que l'on clique sur repondre alors notre code s'execute!
Voila sa fait un ptite faille en +.
		---------------
Bon il y a failles identiques, il suffit que le gas clique sur n'importe 
quel
lien en haut pour que sa s'execute!
		----------------
faille dans la variable $list:
list="/><script>alert()</script>
voila un pti exemple: 
http://benji/zorum_3_5/index.php?list="/><script>alert()</script>
		----------------
faille dans la varaible $method
http://benji/zorum_3_5/index.php?method="/><script>alert()</script>
		----------------
faille dans $frommethod
http://benji/zorum_3_5/index.php?method=markread&list=zorumuser&fromlist=secmenu&frommethod="/><script>alert()</script>
		---------------
faille dans la partie "rechercher" (voir faille injection sql)

faille injection SQL:
*********************
date:18/12/2004
~~~~
Mon script c'est execute a merveille mais j'ai aussi eu une erreur SQL:

SELECT m.id AS id, m.pid AS pid, m.tid AS tid,m.subject AS subject, 
m.creationtime AS creationtime,u.name AS creatorName,f.name AS forumname, 
t.subject AS topicsubject, m.ownerId AS ownerId FROM zorum_message m, 
zorum_forum f, zorum_topic AS t, zorum_zorumuser AS u WHERE m.pid=f.id AND 
m.tid=t.id AND u.id=m.ownerId AND ((m.subject LIKE '%une%' OR txt LIKE 
'%une%') AND (m.subject LIKE '%pti%' OR txt LIKE '%pti%') AND (m.subject 
LIKE '%test%' OR txt LIKE '%test%')) AND m.creatorName='\"/> ' ORDER BY 
forumname DESC, creationtime DESC LIMIT 50

je pense donc qu'une faille de type injection sql est possible. Bon premiere 
chose a faire mettre le magic_quote de easyphp OFF...

Autre:
******
date:18/12/2004
~~~~
!!ATTENTION!!: CETTE FAILLE NE FONCTIONNE QUE SI ON A DEJA EU UN ACCES ADMIN 
!!!!!!
Bon ya une faille toute conne qui permet d'editer le profile, mdp etc de 
n'importe quel membre! lol
Bon pour exploiter cette faille il fo connaitre l'id de du membre en 
question, sur ma board en local l'admin a cette id: 2061890551
Je cree un autre membre du nom de benji qui a cet id: 1592
Jusque la c trankil. Maintenant je vais dans la partie "PC membre "=>"Profil 
de membre" et dans l'url je vois:

http://benji/zorum_3_5/index.php?method=modify_form&list=zorumuser&fromlist=secmenu&frommethod=userfunctions&id=1592

ce qui m'interresse le + c la fin &id=1592 he bien c tout con j'ai qu'a 
changer l'id et je peux editer le profile de n'importe qui ;)
Par exemple je met l'id de l'admin :) et cette faille marche pour tour ! mdp 
etc.... hehe cool non ?

commentaire:
************
est
doivent sa faire tard.
Mais bon a pars c plutot cool....

_________________________________________________________________
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC