lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1110685571.7695.6.camel@localhost>
Date: Sat, 12 Mar 2005 22:46:11 -0500
From: Jon Oberheide <jonojono@...ch.edu>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: 3 XSS Vulnerabilities in Phorum <= 5.0.14
Author: Jon Oberheide <jon@...rheide.org>
Date: Sat, March 12th, 2005
Summary
=======
Application: Phorum
Vendor Website: http://www.phorum.org
Affected Versions: <= 5.0.14
Type of Vulnerability: Cross Site Scripting (XSS)
About Phorum
============
Phorum is a web based message board written in PHP. Phorum is
designed with high-availability and visitor ease of use in mind.
Features such as mailing list integration, easy customization and
simple installation make Phorum a powerful add-in to any website.
XSS Bug #1: Attachment Filename
===============================
When posting a message in a thread, Phorum allows for file attachments
of various types. When a user later views the thread containing the
attachment, the filename is displayed. In file.php, the filename of
the attachment is not sanitized before being output, leading to our
XSS attack.
Posting of an attachment with a filename such as:
test<script language='Javascript'
src='http://test.com/test.js'>.txt
will result in the execution of arbitrary javascript in an
unsuspecting user's browser when they view the thread.
The solution is to call PHP's htmlentities() on the filename before it
is output to the user's browser.
XSS Bug #2: Following Threads
=============================
While the subject line of a thread is sanitized correctly in the
majority of places in Phorum, it is not in follow.php. When a user
attempts to "follow" or subscribe to a thread with a malicious
subject, the code will be executed.
The solution is to call PHP's htmlentities() on the thread subject in
follow.php before it is output to the user's browser.
XSS Bug #3: User Control Panel
==============================
The user's personal control panel has a module showing a list of
currently "followed" threads. Similar to bug #2, the thread subject
line is not sanitized before this list is output.
The solution is to call PHP's htmlentities() on the thread subject in
the control panel before it is output to the user's browser.
Timeline
========
2005-02-20: Bug #1 discovered and vendor notified
2005-02-21: Version 5.0.14a released resolving bug #1
2005-02-22: Bug #2 and #3 discovered and vendor notified
2005-03-10: Version 5.0.15 released resolving bug #2 and #3
2005-03-12: Advisory posted to bugtraq/full-disclosure
--
Jon Oberheide <jonojono@...ch.edu>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
Powered by blists - more mailing lists