logo

Web

   Webdesign
   Webhosting
   Referenzen
   Kontakt

Security

   Aktuelle Meldungen
   Advisories
   Firewall
   Emailgateway

Consulting

   Beratung

Hinweise
   Aktuelle Meldungen    Advisories    Firewall    Emailgateway

ppp-design found the following cross-site-scripting bug in pforum:


Details

Product: pforum
Version: 1.14 and maybe all versions before
OS affected: all OS with php and mysql
Vendor-URL: www.powie.de
Vendor-Status: informed, new version available
Security-Risk: High
Remote-Exploit: Yes


Introduction

pforum is a www-board system using php and mysql. Although the author seems to try to eliminate malicious code (eg. unwanted html-code) in the input, he forget to check the username and maybe some other inputs when registering a new user for malicious code. Therefore it is possible for a malicious user to enter a username containing javascript code. Because the userename is displayed without parsing out the javascript on several pages (eg. the page listing all users), it is possible to access some other user's cookie containing the sessionid.


More details

A typically user of pforum has enabled javascript (the site is using it eg. for changing some icons), so it is possible that his sessionid gets stolen by someone who has placed some malicious code in the forum. Because the only way for an administrator to get aware of this sort of attack is to look in the database or in the sourcecode of the board, it is easy for a possible attacker not to be caught.


Proof-of-concept

Just use this url (one line):

"http://www.server.com/pforum/edituser.php?boardid=&agree=1
&username=%3Cscript%3Ealert(document.cookie)%3C/script%3E
&nickname=test&email=test@test.com&pwd=test&pwd2=test&filled=1"

This url generates a new users, which Username seems to be "test". In fact, everywhere the username is displayed, the included javascript code is placed, too. If some other user now goes to this page, he can see his sessionid in a popup-box. Of course it is quite easy for a blackhat to get this sessionid instead of displaying it in a popup-box (eg. using a document.location.href in the javascript code and referrers).


Temporary-fix

Users can disable Javascript in their browsers, but this would disable some features of pforum.


Fix

The vendor has released a new version, which seems to fix the bug. You should not use v1.14 any longer.


Security-Risk

Because possible blackhats can easily get the admin's password the security risk is rated as high.


Vendor status

Vendor has released a new version.


Disclaimer

All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned.