|
Brought to you by:
Suppliers of:
|
|
|
| |
| Pforum is a www-board system using PHP and MySQL. Although the tool tries to eliminate malicious code (e.g. unwanted html-code) in the input, it lacks checking in the username and maybe some other inputs when registering a new user for malicious code. Therefore, it is possible for a malicious user to enter a username containing JavaScript code. Because the username is not displayed without parsing out the JavaScript on several pages (e.g. the page listing all users), it is possible to access some other user's cookie containing the sessionid. |
| |
Credit:
The information has been provided by Jens Liebchen.
|
| |
Vulnerable systems:
Pforum version 1.14
Immune systems:
Pforum version 1.15
A typically user of Pforum has enabled JavaScript (the side is using it e.g. for changing some icons), so it is possible that his sessionid is stolen by someone who has placed some malicious code in the forum. Because the only way for an administrator to get aware of this sort of attack is to look in the database or in the source code of the board, it is easy for a possible attacker not to be caught.
Proof of concept:
Just use this URL (on one line):
http://www.example.com/pforum/edituser.php?boardid=&agree=1
&username=%3Cscript%3Ealert(document.cookie)%3C/script%3E
&nickname=test&email=test@test.com&pwd=test&pwd2=test&filled=1
This URL generates a new user, which Username seems to be "test". In fact, everywhere the username is displayed, the included JavaScript code is placed, too. If some other user now goes to this page, he can see his sessionid in a popup-box. Of course, it is quite easy for an attacker to get this sessionid instead of displaying it in a popup-box (e.g. using a document.location.href in the JavaScript code and referrers).
Temporary fix:
Users can disable JavaScript in their browsers, but this would disable some features of Pforum.
Fix:
The vendor has released a new version, which seems to fix the bug.
Vendor status:
Vendor has released a new version.
|
|
|
|
|
