|
Sec-Tec Advisory - XSS in Snitz Forums 2000 The most up to date version of this advisory can always be found at: www.sec-tec.co.uk/vulnerability/snitzxss.html Advisory creation date: 6th May 2004 Product: Snitz Forums 2000 Tested version: 3.4.04 (older versions believed to be affected also) Vulnerability: XSS Discoverd by: Pete Foster - Sec-Tec Ltd (www.sec-tec.co.uk) Product: Snitz Forums 2000 is an interactive discussion environment that allows different people on the Internet or an Intranet to leave messages for each other, and then reply. Description: When registering a new account the register.asp script fails to properly sanitize the E-mail address (Email) field. An attacker can enter specially crafted strings into this field that can allow him to launch cross-site scripting (XSS) attacks. Successful exploitation of this could lead to the theft of sensitive information, such as valid session details. Affected object: register.asp POC Exploit: When registering a new account (or ammending an existing one), enter the following as an email address: p@p" onMouseOver="alert(document.cookie); When a user then follows a link to send the attacker an email, the script code is executed. Fix: The Email field should be filtered to remove dangerous characters. The vendor has given details that fixes the symptoms. --- Vendor quote --- On line #184 of pop_mail.asp: Change this: rs("M_EMAIL") To this: chkString(rs("M_EMAIL"),"display") --- End vendor quote --- Vendor fix details can also be found at: http://forum.snitz.com/forum/topic.asp?TOPIC_ID=53360 Release timeline: Vulnerability discovered: April 29th 2004 Vendor notified: May 6th 2004 Vendor response: June 11th 2004 Public release: June 16th 2004 If using this document, please link to: http://www.sec-tec.co.uk/vulnerability/snitzxss.html __________________________________________________________________________ The contents of this e-mail are confidential and are intended solely for the use of the person to whom they are addressed. If you are not the intended recipient of this message please notify the sender and delete it immediately, disclosure of its content to any other person is prohibited and may be unlawful. Sec-Tec does not accept any responsibility for viruses and it is your responsibility to scan the e-mail and attachments. Any liability arising from any third party acting on information contained in this e-mail is hereby excluded. --------------------------------------------------------------------------