100905 2003-05-09 22:13 /16 rader/ WiciU <vviciu@poczta.onet.pl> Importerad: 2003-05-09 22:13 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <4837> Ärende: A Phorum's bug... ------------------------------------------------------------ Hi! I have founded a bug in Phorum (http://phorum.org/). It is possible to inject script code or other html-tag into "subject", "author's name" or "author's e-mail" of a message in Phorum. In the subject (name, e-mail) input of message you need to write any html-tag like this: <<b>script>alert(document.cookie);<<b>/script> I have tested it on Phorum 3.4.1 but probably works in other Phorum 3.x.x versions. Greetings! WiciU, Poland vviciu@poczta.onet.pl (100905) /WiciU <vviciu@poczta.onet.pl>/------------ 100920 2003-05-09 23:02 /9 rader/ Brian Moon <brian@phorum.org> Importerad: 2003-05-09 23:02 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <4838> Ärende: Re: A Phorum's bug... ------------------------------------------------------------ In-Reply-To: <20030509173709.14620.qmail@www.securityfocus.com> Phorum 3.4.3 has been released fixing this and a couple of other bugs. Brian Moon Phorum Dev Team http://phorum.org/ (100920) /Brian Moon <brian@phorum.org>/------------ 101198 2003-05-13 19:37 /81 rader/ <webmaster@procheckup.com> Importerad: 2003-05-13 19:37 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <4866> Ärende: Phorum Vulnerabilities ------------------------------------------------------------ Phorum.org have acknowledged the flaws below and have released version 3.4.3 which corrects them. 1) The Phorum download program (download.php) is vulnerable to directory transversal attack and is able to read arbitrary files from anywhere within the root directory - with permissions of the web service account. 2) The Phorum registration program (register.php) is vulnerable to three flaws. i) The Phorum registration program (register.php) fails to properly filter a input variable - and is vulnerable to a cross site scripting attack. ii) The Phorum registration program (register.php) can be used to perform proxy attacks against other sites. iii) If an existing user is chosen (say admin) the registration page is redisplayed with the existing Phorum input variables, if cross site scripting attacks are entered these are re-displayed. 3) The Phorum login program (login.php) is vulnerable to two flaws. i) The Phorum login program fails to properly filter a input variable - and is vulnerable to a cross site scripting attack. ii) The Phorum login program can be used to perform proxy attacks against other sites. 4) The Phorum Post program (post.php) is vulnerable to a cross site scripting attack. i) The Phorum post.php program fails to properly filter an input variable - and is vulnerable to a cross site scripting attack. 5) Multiple Phorum admin programs are vulnerable to remote command injection attacks - by not filtering variables entered during the registration process. This flaw allows malicious remote users to modify the Phorum configuration by injecting commands, as the Phorum interface is web driven. i) The Phorum UserAdmin program is vulnerable to command injection. ii) The Phorum Edit user profile is also vulnerable to command injection. iii) The Phorum stats program is also vulnerable to this attack. 6) Many Phorum programs inadvertently disclose the webroot when called incorrectly. smileys.php quick_listrss.php purge.php news.php memberlist.php forum_listrss.php forum_list_rdf.php forum_list.php move.php 7) The Phorum common program (common.php) is vulnerable to cross site scripting The phorum common.php program fails to properly filter a input variable - and is vulnerable to a cross site scripting attack. ********************************************** Procheckup as requested by Phorum have not released full details of our discovered vulnerabilities. We understand how important full exploit code can be to pen testers - and will fully release this in 30 days thus giving Phorum administrators time to update. ********************************************** ProCheckUp. Changing the future of penetration testing. www.procheckup.com (101198) / <webmaster@procheckup.com>/----(Ombruten)