mailing list archives
pforum: cross-site-scripting bug
From: Jens Liebchen <security () ppp-design de>
Date: Fri, 22 Feb 2002 22:17:51 +0100
-----BEGIN PGP SIGNED MESSAGE-----
ppp-design found the following cross-site-scripting bug in pforum:
Version: 1.14 and maybe all versions before
OS affected: all OS with php and mysql
Vendor-Status: informed, new version available
pforum is a www-board system using php and mysql. Although the author
seems to try to eliminate malicious code (eg. unwanted html-code) in the
input, he forget to check the username and maybe some other inputs when
registering a new user for malicious code. Therefore it is possible for
several pages (eg. the page listing all users), it is possible to access
some other user's cookie containing the sessionid.
eg. for changing some icons), so it is possible that his sessionid gets
stolen by someone who has placed some malicious code in the forum.
Because the only way for an administrator to get aware of this sort of
attack is to look in the database or in the sourcecode of the board, it
is easy for a possible attacker not to be caught.
Just use this url (one line):
&nickname=test&email=test () test com&pwd=test&pwd2=test&filled=1"
This url generates a new users, which Username seems to be "test". In
is placed, too. If some other user now goes to this page, he can see his
sessionid in a popup-box.
Of course it is quite easy for a blackhat to get this sessionid instead
of displaying it in a popup-box (eg. using a document.location.href in
some features of pforum.
The vendor has released a new version, which seems to fix the bug.
You should not use v1.14 any longer.
Because possible blackhats can easily get the admin's password the
security risk is rated as high.
Vendor has released a new version.
Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org
-----END PGP SIGNATURE-----
- pforum: cross-site-scripting bug Jens Liebchen (Feb 23)