lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 6 May 2008 20:19:36 -0000
From: decoder-bugtraq@...-hero.net
To: bugtraq@...urityfocus.com
Subject: mvnForum 1.1 Cross Site Scripting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

mvnForum Cross Site Scripting Vulnerability

Original release date: 2008-04-27
Last revised: 2008-05-06
Latest version: http://users.own-hero.net/~decoder/advisories/mvnforum-jsxss.txt
Source: Christian Holler <http://users.own-hero.net/~decoder/>


Systems Affected:

 mvnForum 1.1 (http://www.mvnforum.com/) - A Java J2EE/Jsp/Servlet forum

Severity: Moderate


Overview:

 An attacker who has the rights to start a new thread or to reply
 to an existing one, is able to include javascript code using the topic,
 that is executed when other users use the quick reply button shown
 for every post.

 This point of injection is possible because the topic text is part
 of an "onclick" event used for the quick reply function and the 
 software only escapes characters that are typical for HTML cross
 site script attacks. In this case, the single quote character is not
 escaped.

I. Description

 The list of standard functions for threads includes a typical feature
 called "quick reply". For user convenience, each post has a button that
 jumps to the form field allowing to send a quick reply, whilst changing
 the topic text of the reply at the top of this form. This is accomplished
 using javascript and the topic that is replied to. The source code for
 this button looks like this:

 <a href="#message" onclick="QuickReply('24','Re: Some thread topic');">
 <img src="/forum/mvnplugin/mvnforum/images/icon/button_quick_reply.gif"
  border="0" alt="Quick reply to this post" title="Quick reply to this post" /></a>

 Because single quotes are not escaped in the topic context, it is possible
 to break out of the second argument and execute arbitrary javascript code
 in the client's browser.

II. Impact

 Any user that is allowed to post anywhere can use this flaw to steal
 sensitive information such as cookies from other users. Especially
 because the forum uses simple reusable MD5 hashes in their cookies,
 this attack makes it possible to gain unauthorized access to other
 user accounts.

 However, this attack relies on the user to click the quick reply
 button and should therefore be considered only a moderate risk.

III. Proof of concept

 Creating a new thread or replying to a thread with the following subject
 will demonstrate the problem after hitting the "quick reply" button above
 the post text.
 
 Test', alert('XSS ALERT') , '


IV. Solution

 At the time of writing, a fix is available in CVS.
 http://mvnforum.cvs.sourceforge.net/mvnforum/mvnforum/srcweb/mvnplugin/mvnforum/user/viewthread.jsp?r1=1.316&r2=1.317

Timeline:

 2008-04-27: mvnForum authors informed
 2008-05-01: Fix available in CVS
 2008-05-06: Vulnerability notice published

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.6 (GNU/Linux)

iD8DBQFIIMEXJQIKXnJyDxURAlOPAJ96XH9zfjLJ1jMjCCpheurxwJuqMACfbz2S
FWggJDc19FDPXiiyS+AP9iU=
=Tixo
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ