Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

pforum: cross-site-scripting bug

From: Jens Liebchen <security () ppp-design de>
Date: Fri, 22 Feb 2002 22:17:51 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ppp-design found the following cross-site-scripting bug in pforum:


Details
- -------
Product: pforum
Version: 1.14 and maybe all versions before
OS affected: all OS with php and mysql
Vendor-URL: www.powie.de
Vendor-Status: informed, new version available
Security-Risk: High
Remote-Exploit: Yes


Introduction
- ------------
pforum is a www-board system using php and mysql. Although the author
seems to try to eliminate malicious code (eg. unwanted html-code) in the
input, he forget to check the username and maybe some other inputs when
registering a new user for malicious code. Therefore it is possible for
a malicious user to enter a username containing javascript code. Because
the userename ist displayed without parsing out the javascript on
several pages (eg. the page listing all users), it is possible to access
some other user's cookie containing the sessionid.


More details
- ------------
A typically user of pforum has enabled javascript (the side is using it
eg. for changing some icons), so it is possible that his sessionid gets
stolen by someone who has placed some malicious code in the forum.
Because the only way for an administrator to get aware of this sort of
attack is to look in the database or in the sourcecode of the board, it
is easy for a possible attacker not to be caught.


Proof-of-concept
- ----------------
Just use this url (one line):

"http://www.server.com/pforum/edituser.php?boardid=&agree=1
&username=%3Cscript%3Ealert(document.cookie)%3C/script%3E
&nickname=test&email=test () test com&pwd=test&pwd2=test&filled=1"

This url generates a new users, which Username seems to be "test". In
fact, everywhere the username is displayed, the included javascript code
is placed, too. If some other user now goes to this page, he can see his
sessionid in a popup-box.
Of course it is quite easy for a blackhat to get this sessionid instead
of displaying it in a popup-box (eg. using a document.location.href in
the javascript code and referrers).


Temporary-fix
- -------------
Users can disable Javascript in their browsers, but this would disable
some features of pforum.


Fix
- ---
The vendor has released a new version, which seems to fix the bug.
You should not use v1.14 any longer.


Security-Risk
- -------------
Because possible blackhats can easily get the admin's password the
security risk is rated as high.


Vendor status
- -------------
Vendor has released a new version.



- --
ppp-design
http://www.ppp-design.de
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22  745D 0D78 7B60 B3B5 451A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE8drV+DXh7YLO1RRoRAhruAKCpfg8kp4b6/3aXVToNplUbmINuxACg8Q3u
G0mnVTcr7kcurzeAWecvqSE=
=PhFm
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: