L-Forum XSS and upload spoofing

From: Ulf Harnhammar (ulfh@update.uu.se)
Date: 08/14/02


Date: Wed, 14 Aug 2002 00:54:50 +0200 (CEST)
From: Ulf Harnhammar <ulfh@update.uu.se>
To: bugtraq@securityfocus.com

L-Forum XSS and upload spoofing

PROGRAM: L-Forum
VENDOR: Leszek Krupinski <leszek@php.net>
HOMEPAGE: http://l-forum.x-php.net/
VULNERABLE VERSIONS: 2.4.0, possibly others
IMMUNE VERSIONS: none, but an official patch is available for
                 some issues
SEVERITY: high
LOGIN REQUIRED: no

DESCRIPTION:

"L-Forum is [a] universal Web forum written in PHP. It has support
for threading, multiple languages, and the PostgreSQL/MySQL database
server. You can also easily change its design, or even change design
on-the-fly with themes support."

(direct quote from the program's project page at Freshmeat)

L-Forum is published under the terms of the GNU General Public
License.

SUMMARY:

L-Forum has got two different XSS (Cross-Site Scripting) holes,
allowing attackers to add JavaScript code to messages that they post
in a forum. It has also got an upload spoofing hole, indirectly
allowing an attacker to download any file on the server that the
httpd daemon can read.

TECHNICAL DETAILS:

1) If "Enable HTML in messages" is set to on in L-Forum
Administration, the users are exposed to several XSS (Cross-Site
Scripting) holes every time they read a message. If it is on, all
parts of a message (the From, E-Mail, Subject and Body fields)
may contain all kinds of HTML code, including script tags that
execute some JavaScript code, or even worse, meta http-equiv tags
that redirect you to Gobbles' homepage.

2) When "Enable HTML in messages" is set to off in L-Forum
Administration, HTML code is only removed from the Body, and not
from the From, E-mail and Subject fields.

3) The file upload function allows uploads to occur, without checking
if the four global variables with information about an upload
(attachment, attachment_name, attachment_size and attachment_type)
really were set by uploading a file or if they were normal POST
data. This means that it can be fooled into treating any file that
the web server can read (like /etc/passwd) as the uploaded file.

COMMUNICATION WITH VENDOR:

The vendor was contacted on the 9th of July. He replied very quickly,
and posted an official patch that fixes problems number 2 and 3,
but not number 1, on the program's homepage. There is no official
new release yet, but if you apply the patch and turn off "Enable
HTML in messages" in L-Forum Administration, you are immune to all
three holes.

// Ulf Harnhammar
ulfh@update.uu.se



Relevant Pages

  • [Full-Disclosure] L-Forum XSS and upload spoofing
    ... L-Forum is published under the terms of the GNU General Public ... It has also got an upload spoofing hole, ... If "Enable HTML in messages" is set to on in L-Forum ... and posted an official patch that fixes problems number 2 and 3, ...
    (Full-Disclosure)
  • Re: How do I Save from MHTML .mht to HTML format only
    ... That will also add the .html extension ... You can choose the .html extension when you Publish to the ... The issue was the difference between html and htm on the index folder ... Double check that you did indeed upload to the ...
    (microsoft.public.publisher.webdesign)
  • Re: How do I Save from MHTML .mht to HTML format only
    ... The issue was the difference between html and htm on the index folder so I ... I also notice that your host says you have to use the .html extension for ... Double check that you did indeed upload to the ...
    (microsoft.public.publisher.webdesign)
  • Re: How do I Save from MHTML .mht to HTML format only
    ... The issue was the difference between html and htm on the index folder so I ... I also notice that your host says you have to use the .html extension for ... Double check that you did indeed upload to the ...
    (microsoft.public.publisher.webdesign)
  • Re: Mike, Ali et al - 110mb
    ... I have all my web pages in HTML format and just FTP them to ... their ' insert image' facility opened a window with the ... specify and upload the required image. ...
    (uk.people.silversurfers)