[NT] Multiple Cross Site Scripting Vulnerabilities in FuseTalk

From: SecuriTeam (support_at_securiteam.com)
Date: 10/18/04

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in CoolPHP"
    To: list@securiteam.com
    Date: 18 Oct 2004 15:03:41 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Multiple Cross Site Scripting Vulnerabilities in FuseTalk
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.fusetalk.com/> FuseTalk is a web based discussion forum
    system.
    FuseTalk suffers from multiple cross site scripting vulnerabilities.

    DETAILS

    Vulnerable Systems:
     * FuseTalk Enterprise Edition Version 2.0. Other versions might be also
    affected.

    In some forums (often older version) when viewing the profile of users, if
    scripting code is passed into: tombstone.cfm?ProfileID the text is once
    again unfiltered and the script with be executed.
    Example:
    http://example.com/forum/tombstone.cfm?ProfileID=>alert(document.cookie)</script>

    Data sent to usersearchresults.cfm does not appear to be filtered. Passing
    malicious script code to the search parameter will be run unfiltered. That
    error lies within the 'keyword' parameter. The issue can be recreated with
    the url:
    http://example.com/forum/usersearchresults.cfm?keyword=>alert(document.cookie)</script>&FT_ACTION=SearchUsers

    The filtering script for the 'img src=' tag doesn't filter " (double
    quote) if preceded by a ?. This leads to cross site scripting since the
    <img src=" tag can be closed by a target url with a user injected ", thus
    allowing an attacker to use an instruction like: onmouseover to inject
    java script code.

    Vendor Status:
    The vendor was contacted last month and responded that:
    "all of these issues below were fixed in "Security Patches" released
    04/21/2004 & 05/04/2004. All customers were notified of these and were to
    apply them. The site you are visiting obviously has not applied these
    patches and should. If you do not the person in charge of that site you
    visit you might want them to email me sales [AT] fusetalk.com and I can
    let them know where to go and get those patches."

    However, it appears a large number of sites running FuseTalk are
    vulnerable and even the Demo Enterprise Edition on their homepage is
    currently vulnerable. It would appear these patches are not making their
    way around very well and/or do not fix all the below listed problems.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:root@spiffomatic64.com>
    Spiffomatic64 and <mailto:steven@lovebug.org> Steven.
    The original article can be found at:
    <
    http://www.lovebug.org/fusetalk_advisory.txt>
    http://www.lovebug.org/fusetalk_advisory.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in CoolPHP"

    Relevant Pages

    • [UNIX] Sqwebmail Cross Site Scripting
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... " <http://www.inter7.com/index.php?page=sqwebmail> SqWebMail is a web CGI ... A cross site scripting vulnerability have been found in SqWebMail. ... user viewing an Email through the CGI system by using the script code as ...
      (Securiteam)
    • [NEWS] SonicWall SOHO Cross Site Scripting and Arbitrary Code Injection
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... containing script code will be executed in the web ... As the system log file is displayed in HTML format, ...
      (Securiteam)
    • [NT] HtmlHelp CHM File Heap Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... This results in a typical win32 heap overflow landing either on the common ... * Microsoft Windows 98, 98SE, ME ... Brett was told that this could also be achieved without script code. ...
      (Securiteam)
    • [UNIX] IPCop proxylog.dat Cross Site Scripting Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in the way IPCop displays log files allows a remote ... the script code will be executed. ...
      (Securiteam)
    • [NT] CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow ... Remote exploitation of multiple buffer overflow vulnerabilities in ... rxsGetSubDirs, rxsGetServerDBPathName, rxsSetServerOptions, rxsDeleteFile, ...
      (Securiteam)