[UNIX] Pforum Cross-Site-Scripting Vulnerability
From: support@securiteam.comDate: 03/02/02
- Previous message: support@securiteam.com: "[NEWS] Zero One Tech (ZOT) P100s PrintServer and SNMP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 2 Mar 2002 20:15:10 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Pforum Cross-Site-Scripting Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.powie.de/> Pforum is a www-board system using PHP and MySQL.
Although the tool tries to eliminate malicious code (e.g. unwanted
html-code) in the input, it lacks checking in the username and maybe some
other inputs when registering a new user for malicious code. Therefore, it
is possible for a malicious user to enter a username containing JavaScript
code. Because the username is not displayed without parsing out the
JavaScript on several pages (e.g. the page listing all users), it is
possible to access some other user's cookie containing the sessionid.
DETAILS
Vulnerable systems:
Pforum version 1.14
Immune systems:
Pforum version 1.15
A typically user of Pforum has enabled JavaScript (the side is using it
e.g. for changing some icons), so it is possible that his sessionid is
stolen by someone who has placed some malicious code in the forum. Because
the only way for an administrator to get aware of this sort of attack is
to look in the database or in the source code of the board, it is easy for
a possible attacker not to be caught.
Proof of concept:
Just use this URL (on one line):
http://www.example.com/pforum/edituser.php?boardid=&agree=1
&username=%3Cscript%3Ealert(document.cookie)%3C/script%3E
&nickname=test&email=test@test.com&pwd=test&pwd2=test&filled=1
This URL generates a new user, which Username seems to be "test". In fact,
everywhere the username is displayed, the included JavaScript code is
placed, too. If some other user now goes to this page, he can see his
sessionid in a popup-box. Of course, it is quite easy for an attacker to
get this sessionid instead of displaying it in a popup-box (e.g. using a
document.location.href in the JavaScript code and referrers).
Temporary fix:
Users can disable JavaScript in their browsers, but this would disable
some features of Pforum.
Fix:
The vendor has released a new version, which seems to fix the bug.
Vendor status:
Vendor has released a new version.
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@ppp-design.de> Jens
Liebchen.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Zero One Tech (ZOT) P100s PrintServer and SNMP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
