TUCoPS :: Web BBS :: etc :: bt102.txt

Splatt Forum 4.0 multiple vulns




===========================================================================

====

FRAME4 SECURITY ADVISORY [FSA-2003:001]

---------------------------------------------------------------------------

----



PRODUCT            : Splatt Forum 4.0 for PHP-Nuke 6.0

PRODUCT/VENDOR URL : http://www.splatt.it/

TYPE               : Vulnerability / Exploit

IMPACT             : Medium

SUMMARY            : Multiple Vulnerabilities in Splatt Forum 4.0

DISCOVERY DATE     : 26/03/2003

PUBLIC RELEASE     : 01/05/2003

AFFECTED VERSION(S): Splatt Forum 4.0 (as of discovery date)

FIXED VERSION(S)   : Splatt Forum 4.0 Fix 1 (not tested)

VENDOR NOTIFIED    : No



---------------------------------------------------------------------------

----



BACKGROUNDER:



Splatt Forum is a MySQL driven, PHP-based forum system that fully 

integrates in

to PHP-Nuke, the popular CMS system by Fransisco Burzi.



INTRODUCTION:



We have discovered two vulnerabilities in the vanilla version of Splatt 

Forum

4.0 for PHP-Nuke 6.0; an XSS Vulnerability and an HTML/Code Injection Flaw.



The vulnerabilities and accompanying exploits were discovered and executed 

upon

only one web site, and verified by Webmaster (webmaster@frame4.com).



ADVISORY URL:



http://frame4.com/php/modules.php?

name=News&file=categories&op=newindex&catid=4

http://www.frame4.com/content/advisories/FSA-2003-001.txt



VENDOR CONTACT:



None. We didn't contact the vendor as 'Splatt' has a very bad track record 

when

it comes to replying to security reports and fixing issues. The web site 

of the

vendor is almost entirely in Italian which makes vendor contact difficult.



VULNERABILITY DESCRIPTION:



Please refer to the 'Technical Description' section below, for full 

description

of the problem(s).



VULNERABLE APPLICATION(S)/PACKAGE(S)/VERSION(S):



"Out-of-the-box" version of Splatt Forum 4.0 for PHP-Nuke 6.0.



Although this is the ONLY version tested for the moment, it is highly 

possible

that other versions are open to similar attacks.



SOLUTION/VENDOR INFORMATION/WORKAROUND:



There are various possible solutions going around at the forums at 

splatt.it,

though the forums are in Italian and the English translations are often 

poor.



Recently, Splatt Forum 4.0 Fix 1 has been released; but this is yet 

untested.



TECHNICAL DESCRIPTION - EXPLOIT/CONCEPT CODE:



[001] XSS Vulnerability



Post a message (Anonymous is OK) containing the following message body:



#

Some test text for fun <script>alert(document.cookie);</script> some more 

text

goes here...

#



This causes the rendering of the script upon reading (loading) of the page 

by

the next user. The JS is rendered FIRST, before the user can perform a 

cancel

action.



[002] HTML/Code Injection Flaw



Perform a search with the keywords:



<iframe src="http://somesite.com">



Upon rendering of the search results the remote site or any local page 

will be

rendered in the IFRAME. I am sure other JS exploits are renderable as well,

especially the IE 5-6 crash exploits (null objects) and remote JS cookie

snarfing.



CREDITS:



The vulnerabilities outlined in this advisory and accompanying sample code 

have

been discovered by morning_wood (morning_wood@thepub.co.za) of Morning 

Wood,Inc

(http://take.candyfrom.us/).



At the time of discovery this vulnerability was considered 0-day as the 

related

testing was performed "on the fly" as a curiosity test. The above exploits 

have

not been circulated through the underground community and are presented 

here as

a PUBLIC DISCLOSURE.



REFERENCES:



None.



ABOUT:



Frame4 Security Systems is a new security partner, empowering clients with 

the

necessary knowledge and products to protect and secure their computer 

systems.



Headquartered in The Netherlands, Frame4 can be reached at +31(0)172-

515901 or

on the Web at http://www.frame4.com/.



DISCLAIMER:



This advisory is a Frame4 Security Systems ("Frame4") publication, all 

rights

reserved (c) 2003. You may (re-)distribute the text as long as the content 

is

not changed in any way and with this header text intact. If you want to 

serve

this paper on your web site/FTP/Newsgroup/etc., we encourage you to do so, 

as

long as no changes are made without the prior permission of the author(s), 

no

fees are charged and proper credit is given.



IMPORTANT -- THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY. To the 

maximum

extent permitted by applicable law, in no event shall Frame4 Security 

Systems

be liable for any damages whatsoever, (including, without limitation, 

damages

for loss of any business profits, business interruption, loss of any 

business

information, or other pecuniary loss) arising out of the use, or inability 

to

use any software, and/or procedures outlined in this document, even if 

Frame4

Security Systems has been advised of the possibility of such damage(s). 

There

are NO warranties with regard to this information.



This advisory is the property of Frame4 Security Systems, all rights 

reserved.

Copyright (c) 1999-2003 Frame4 Security Systems -- http://www.frame4.com/

===========================================================================

====

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH