| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Aug 2015 11:16:20 +0200
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] Phorum 5.2.19 - Reflected XSS and Open Redirect
Phorum 5.2.19: Reflected XSS (IIS only) and Open Redirect
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: Phorum 5.2.19
Fixed in: 5.2.20
Fixed Version Link: http://www.phorum.org/downloads/phorum_5_2_20.zip
Vendor Contact: webmaster@...rum.org
Vulnerability Type: Reflected XSS (IIS only) and Open Redirect
Remote Exploitable: Yes
Reported to vendor: 07/14/2015
Disclosed to public: 08/17/2015
Release mode: Coordinated release
CVE: n/a
Google Dork: "This forum is powered by Phorum" (About 431,000 results)
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
Phorum 5.2.19 is vulnerable to reflected cross site scripting when
running on Microsoft-IIS. With this, it is possible to inject and
execute arbitrary JavaScript code. This can for example be used by an
attacker to inject a JavaScript keylogger, bypass CSRF protection, or
perform phishing attacks.
The attack can be exploited by getting the victim to click a link or
visit an attacker controlled website.
Additionally, there is an open redirect vulnerability, which may aid
attackers in phishing attacks. This vulnerability is not limited to
Microsoft-IIS.
3. Proof of Concept
The XSS injection takes place into the phorum_redirect_to GET argument:
http://localhost/phorum-5.2.19/redirect.php?phorum_redirect_to=http://google.com"><script>alert(1)</script>
The open redirect is possible via the same GET argument as the XSS
vulnerability:
http://localhost/phorum-5.2.19/redirect.php?phorum_redirect_to=http://google.com
4. Code
XSS:
common.php:1990
if ( stristr( $_SERVER['SERVER_SOFTWARE'], "Microsoft-IIS" ) ) {
// the ugly IIS-hack to avoid crashing IIS
print "<html><head>\n<title>Redirecting ...</title>\n";
print "<meta http-equiv=\"refresh\" content=\"0;
URL=$redir_url\">";
print "</head>\n";
print "<body><a href=\"$redir_url\">Redirecting
...</a></body>\n";
print "</html>";
}
}
Open Redirect:
redirect.php:29
if (isset($PHORUM["args"]["phorum_redirect_to"])) {
$redir = urldecode($PHORUM["args"]["phorum_redirect_to"]);
phorum_redirect_by_url($redir);
}
common.php:1973
function phorum_redirect_by_url( $redir_url )
{
[... (no sanitation) ... ]
header( "Location: $redir_url" );
[...]
}
4. Solution
To mitigate this issue please upgrade at least to version 5.2.20:
http://www.phorum.org/downloads/phorum_5_2_20.zip
Please note that a newer version might already be available.
5. Report Timeline
07/14/2015 Informed Vendor about Issue
07/19/2015 Vendor releases Version 5.2.20
08/17/2015 Disclosed to public
6. Blog Reference
http://blog.curesec.com/article/blog/Phorum-5219-Reflected-XSS-IIS-only-and-Open-Redirect-45.html
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists