[NT] Snitz Forum 2000 Cross Site Scripting In User Registration Form

• Previous message: SecuriTeam: "[NEWS] DLink-614+ Script Injection Through DHCP HOSTNAME Option"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 22 Jun 2004 18:42:22 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Snitz Forum 2000 Cross Site Scripting In User Registration Form
------------------------------------------------------------------------

SUMMARY

" <http://forum.snitz.com/> Snitz Forums 2000, one of the best ASP based
bulletin board systems on the market. Getting better every day! A complete
board system (forum) that allows the user access to a friendly and
intuitive interface."

A cross site scripting vulnerability has been found in the user
registration form of Snitz Forum 2000. All avenues of attack possible from
a cross-site scripting vulnerability apply.

DETAILS

Vulnerable Systems:
 * Snitz Forum 2000 version 3.4.04 and prior

Immune Systems:
 * Snitz Forum 2000 after vendor patch applied

When registering a new account the register.asp script fails to properly
sanitize the E-mail address (Email) field. A specially crafted Email
address can be sent to the registration script which would allow a
malicious user to launch all types of cross-site scripting attacks, the
most common of which are cookie stealing and simple script execution on
the victim's client side.

The vulnerable script is 'register.asp'. When creating a new account or
modifying an existing one, the following string can be used to test for
the vulnerability:
p@p" onMouseOver="a!ert(document.cookie);

When a user then follows a link to send the attacker an email, the script
code is executed.

Vendor Status:
The vendor has been informed and has replied with a fix information. The
patch has to be applied manually by modifying the pop_mail.asp script at
line 184 and changing it from:
rs("M_EMAIL")

to:
chkString(rs("M_EMAIL"),"display")

The vendor solution can also be found at
<http://forum.snitz.com/forum/topic.asp?TOPIC_ID=53360>
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=53360

Disclosure Timeline
Vulnerability discovered April 29th 2004
Vendor notified May 6th 2004
Vendor response June 11th 2004
Public release June 16th 2004

ADDITIONAL INFORMATION

The information has been provided by <mailto:petef@sec-tec.co.uk> Pete
Foster - Sec-Tec.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] DLink-614+ Script Injection Through DHCP HOSTNAME Option"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]