[NT] Multiple Cross Site Scripting Vulnerabilities in FuseTalk

From: SecuriTeam (support_at_securiteam.com)
Date: 10/18/04

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in CoolPHP"
    To: list@securiteam.com
    Date: 18 Oct 2004 15:03:41 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Multiple Cross Site Scripting Vulnerabilities in FuseTalk
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.fusetalk.com/> FuseTalk is a web based discussion forum
    system.
    FuseTalk suffers from multiple cross site scripting vulnerabilities.

    DETAILS

    Vulnerable Systems:
     * FuseTalk Enterprise Edition Version 2.0. Other versions might be also
    affected.

    In some forums (often older version) when viewing the profile of users, if
    scripting code is passed into: tombstone.cfm?ProfileID the text is once
    again unfiltered and the script with be executed.
    Example:
    http://example.com/forum/tombstone.cfm?ProfileID=>alert(document.cookie)</script>

    Data sent to usersearchresults.cfm does not appear to be filtered. Passing
    malicious script code to the search parameter will be run unfiltered. That
    error lies within the 'keyword' parameter. The issue can be recreated with
    the url:
    http://example.com/forum/usersearchresults.cfm?keyword=>alert(document.cookie)</script>&FT_ACTION=SearchUsers

    The filtering script for the 'img src=' tag doesn't filter " (double
    quote) if preceded by a ?. This leads to cross site scripting since the
    <img src=" tag can be closed by a target url with a user injected ", thus
    allowing an attacker to use an instruction like: onmouseover to inject
    java script code.

    Vendor Status:
    The vendor was contacted last month and responded that:
    "all of these issues below were fixed in "Security Patches" released
    04/21/2004 & 05/04/2004. All customers were notified of these and were to
    apply them. The site you are visiting obviously has not applied these
    patches and should. If you do not the person in charge of that site you
    visit you might want them to email me sales [AT] fusetalk.com and I can
    let them know where to go and get those patches."

    However, it appears a large number of sites running FuseTalk are
    vulnerable and even the Demo Enterprise Edition on their homepage is
    currently vulnerable. It would appear these patches are not making their
    way around very well and/or do not fix all the below listed problems.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:root@spiffomatic64.com>
    Spiffomatic64 and <mailto:steven@lovebug.org> Steven.
    The original article can be found at:
    <
    http://www.lovebug.org/fusetalk_advisory.txt>
    http://www.lovebug.org/fusetalk_advisory.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in CoolPHP"