-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ppp-design found the following cross-site-scripting bug in pforum: Details - ------- Product: pforum Version: 1.14 and maybe all versions before OS affected: all OS with php and mysql Vendor-URL: www.powie.de Vendor-Status: informed, new version available Security-Risk: High Remote-Exploit: Yes Introduction - ------------ pforum is a www-board system using php and mysql. Although the author seems to try to eliminate malicious code (eg. unwanted html-code) in the input, he forget to check the username and maybe some other inputs when registering a new user for malicious code. Therefore it is possible for a malicious user to enter a username containing javascript code. Because the userename ist displayed without parsing out the javascript on several pages (eg. the page listing all users), it is possible to access some other user's cookie containing the sessionid. More details - ------------ A typically user of pforum has enabled javascript (the side is using it eg. for changing some icons), so it is possible that his sessionid gets stolen by someone who has placed some malicious code in the forum. Because the only way for an administrator to get aware of this sort of attack is to look in the database or in the sourcecode of the board, it is easy for a possible attacker not to be caught. Proof-of-concept - ---------------- Just use this url (one line): "http://www.server.com/pforum/edituser.php?boardid=&agree=1 &username=%3Cscript%3Ealert(document.cookie)%3C/script%3E &nickname=test&email=test@test.com&pwd=test&pwd2=test&filled=1" This url generates a new users, which Username seems to be "test". In fact, everywhere the username is displayed, the included javascript code is placed, too. If some other user now goes to this page, he can see his sessionid in a popup-box. Of course it is quite easy for a blackhat to get this sessionid instead of displaying it in a popup-box (eg. using a document.location.href in the javascript code and referrers). Temporary-fix - ------------- Users can disable Javascript in their browsers, but this would disable some features of pforum. Fix - --- The vendor has released a new version, which seems to fix the bug. You should not use v1.14 any longer. Security-Risk - ------------- Because possible blackhats can easily get the admin's password the security risk is rated as high. Vendor status - ------------- Vendor has released a new version. - -- ppp-design http://www.ppp-design.de Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE8drV+DXh7YLO1RRoRAhruAKCpfg8kp4b6/3aXVToNplUbmINuxACg8Q3u G0mnVTcr7kcurzeAWecvqSE= =PhFm -----END PGP SIGNATURE-----
