Fuse Talk Vunerabilities

From: Stuart Jamieson (stuart.jamieson_at_active-outdoors.co.uk)
Date: 05/05/04

  • Next message: OpenPKG: "[OpenPKG-SA-2004.019] OpenPKG Security Advisory (kolab)"
    Date: 5 May 2004 12:15:06 -0000
    To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    As well as well known XSS vunerabilities the latest version 4.0 seems to have some other issues.

    Unpatched releases of V4.0 allow the user to access the Template banning.cfm without any administrative privleages. All users of the software should check with fusetalk.com for the latest security patches to prevent this being misused.

    Access to this template allows any user to ban any other users and seems to be particularly vunerable. Fortunately it does not affect the administration templates, merely the moderation ones so the chances of an attacker gaining higher levels of access seem unlikely.

    Another issue seems to exist which I have only so far tested on Version 2.0 and am unsure if this also occurs in V3-4, it appears that within the administration templates adduser.cfm allows parameters to be passed by a get statement rather than a post statement.

    This potential vunerability could allow a hostile to create a new account by tricking some other person with moderator powers. Although it may seem obvious that a link to
    would create a new account, if the adress is hidden within an image tag [img][/img] then the event will fire the creation of the account when the administrators web browser attempts to download the image.

    This could be extended by the variable FTVAR_SCRIPTRUN=self.close which even in not creating an account would be capable running malicious javascript when an administrative user attempted to follow the link.

    Since fusetalk relies nearly entirely on POST based data the best fix for this is to restrict posting of data by a GET statement.

  • Next message: OpenPKG: "[OpenPKG-SA-2004.019] OpenPKG Security Advisory (kolab)"

    Relevant Pages

    • Re: Event ID: 1202
      ... No mapping between account names and security IDs was ... SeIncreaseBasePriorityPrivilege = Administrators ... "Meinolf Weber" wrote: ... A user account in one or more Group policy objects (GPOs) could not ...
    • Re: Rid AD of Circular Group Membership
      ... I'll try to keep this going; because it might be useful to another admin ... The quess is each has an account and uses it, ... part of stations) into the machine local Administrators group. ... Administrators Group has a members: ...
    • Re: Event ID: 1202
      ... No mapping between account names and security IDs was done. ... User Rights configuration completed with error. ... SeIncreaseBasePriorityPrivilege = Administrators ... unresolvable account exists only in one GPO. ...
    • Re: Program Problems for non-administrators
      ... The user cant burn CDs because the media player absolutely wont function in her account but switch it to an administrator and all is well. ... User accounts will say they have an older version of a program but the administrators account says everything is up to speed. ... Quite simply, the installation routine for this application doesn't "know" how to handle individual user profiles, or the application tries to make changes to "off-limits" sections of the registry or protected Windows system folders. ... you can make this software available to other users by _copying_ the Start Menu folder and Desktop folder shortcuts from the user profile from which the software was installed in the corresponding folders in the user profilein which you'd like the software to be accessible. ...
    • Re: How to prevent ownership change by users with admin rights?
      ... I also have my private account on the ... > other private account is a member of the "Administrators" group. ... > I have created a private folder on the machine that has its security ...