lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20130311121559.7e3e96fe@sec-consult.com>
Date: Mon, 11 Mar 2013 12:15:59 +0100
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: bugtraq <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>
Subject: SEC Consult SA-20130311-0 :: Persistent
 cross-site scripting in jforum

SEC Consult Vulnerability Lab Security Advisory < 20130311-0 >
=======================================================================
              title: Persistent cross-site scripting vulnerability
            product: jforum
 vulnerable version: 2.1.9
      fixed version: -
             impact: medium
           homepage: http://jforum.net/
              found: 2012-09-20
        	CVE: 
                 by: A. Antukh
                     SEC Consult Vulnerability Lab 
                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
jforum is a powerful and robust discussion board system implemented in Java.

"jforum is a discussion board software - a forum - widely known for half a
decade already. It powers many big forums around the globe, including
Electronic Arts' gaming forums, JavaRanch (one of the biggest and oldest Java
communities), GUJ (the biggest Java development community for Portuguese
speakers). It is an Open Source project, maintained by serious developers."

Source: http://jforum.net/contact.jsp


Vulnerability overview/description:
-----------------------------------
A module "pm" provided in the standard installation of jforum includes the
action "sendSave", which suffers from a persistent cross-site scripting
vulnerability due to insufficient validation of user supplied data.

An authenticated user is able to perform cross-site scripting attacks e.g.
create relogin trojan horses or steal session cookies in the context of the
affected website that uses a vulnerable version of jforum.


Proof of concept:
-----------------
The vulnerability is exploited due to improper validation of a certain parameter.
PoC URL has been removed as no vendor patch is available.


Vulnerable / tested versions:
-----------------------------
The vulnerability is verified to exist in 2.1.9 version of jforum which is the 
most recent at the moment of writing the advisory.


Fixed version:
--------------
No patch available.


Vendor contact timeline:
------------------------
2012-11-15: Contacted vendor through rafael@...anecorp.com
2012-11-15: Initial vendor response - issues will be verified
2012-11-20: Under investigation / Being fixed in main codeline
2013-02-28: Vendor notification about advisory release on 2013-03-08 according to
	    the SEC Consult responsible disclosure policy.
2013-03-05: Vendor agrees with dates of publishing the advisory, will maybe
            supply patch in the future (does currently not work on project)
2013-03-11: Public release of SEC Consult advisory


Workaround:
-----------
No workaround available


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com
http://blog.sec-consult.com

EOF A. Antukh / @2013

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ