|
COMMAND pforum cross-site-scripting vulnerability SYSTEMS AFFECTED 1.14 and maybe all versions before PROBLEM ppp-design [http://www.ppp-design.de] found the following : pforum is a www-board system using php and mysql (http://www.powie.de). Although the author seems to try to eliminate malicious code (eg. unwanted html-code) in the input, he forget to check the username and maybe some other inputs when registering a new user for malicious code. Therefore it is possible for a malicious user to enter a username containing javascript code. Because the userename ist displayed without parsing out the javascript on several pages (eg. the page listing all users), it is possible to access some other user\'s cookie containing the sessionid. More details ------------- A typically user of pforum has enabled javascript (the side is using it eg. for changing some icons), so it is possible that his sessionid gets stolen by someone who has placed some malicious code in the forum. Because the only way for an administrator to get aware of this sort of attack is to look in the database or in the sourcecode of the board, it is easy for a possible attacker not to be caught. Proof-of-concept ----------------- Just use this url (one line): http://www.server.com/pforum/edituser.php?boardid=&agree=1&username=%3Cscript%3Ealert(document.cookie)%3C/script%3E&nickname=test&email=test@test.com&pwd=test&pwd2=test&filled=1 This url generates a new users, which Username seems to be \"test\". In fact, everywhere the username is displayed, the included javascript code is placed, too. If some other user now goes to this page, he can see his sessionid in a popup-box. Of course it is quite easy for a blackhat to get this sessionid instead of displaying it in a popup-box (eg. using a document.location.href in the javascript code and referrers). SOLUTION Use new version