COMMAND

	pforum cross-site-scripting vulnerability

SYSTEMS AFFECTED

	1.14 and maybe all versions before

PROBLEM

	ppp-design [http://www.ppp-design.de] found the following :
	

	pforum is a www-board system using php and mysql  (http://www.powie.de).
	Although the author seems  to  try  to  eliminate  malicious  code  (eg.
	unwanted html-code) in the input, he forget to check  the  username  and
	maybe some other inputs when registering a new user for malicious  code.
	Therefore it is possible for  a  malicious  user  to  enter  a  username
	containing javascript code. Because the userename ist displayed  without
	parsing out the javascript on several pages (eg. the  page  listing  all
	users), it is possible to access some other  user\'s  cookie  containing
	the sessionid.
	

	

	 More details

	 -------------

	

	A typically user of pforum has enabled javascript (the side is using  it
	eg. for changing some icons), so it is possible that his sessionid  gets
	stolen by someone who has placed  some  malicious  code  in  the  forum.
	Because the only way for an administrator to get aware of this  sort  of
	attack is to look in the database or in the sourcecode of the board,  it
	is easy for a possible attacker not to be caught.
	

	

	 Proof-of-concept

	 -----------------

	Just use this url (one line):
	

	

	http://www.server.com/pforum/edituser.php?boardid=&agree=1&username=%3Cscript%3Ealert(document.cookie)%3C/script%3E&nickname=test&email=test@test.com&pwd=test&pwd2=test&filled=1

	

	

	This url generates a new users, which Username seems to be \"test\".  In
	fact, everywhere the username  is  displayed,  the  included  javascript
	code is placed, too. If some other user now goes to this  page,  he  can
	see his sessionid in a popup-box. Of course  it  is  quite  easy  for  a
	blackhat to get this sessionid instead of displaying it in  a  popup-box
	(eg.  using  a  document.location.href  in  the  javascript   code   and
	referrers).

SOLUTION

	Use new version