Bug: mvnForum 1.1 Cross Site Scripting ( Ascii Version )

Search:
WLB2

mvnForum 1.1 Cross Site Scripting

Published
Credit
Risk
2008.05.10
Christian Holler
Low
CWE
CVE
Local
Remote
CWE-79
CVE-2008-2131
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

mvnForum Cross Site Scripting Vulnerability

Original release date: 2008-04-27

Last revised: 2008-05-06

Latest version: http://users.own-hero.net/~decoder/advisories/mvnforum-jsxss.txt

Source: Christian Holler <http://users.own-hero.net/~decoder/>

Systems Affected:

mvnForum 1.1 (http://www.mvnforum.com/) - A Java J2EE/Jsp/Servlet forum

Severity: Moderate

Overview:

An attacker who has the rights to start a new thread or to reply

to an existing one, is able to include javascript code using the topic,

that is executed when other users use the quick reply button shown

for every post.

This point of injection is possible because the topic text is part

of an "onclick" event used for the quick reply function and the

software only escapes characters that are typical for HTML cross

site script attacks. In this case, the single quote character is not

escaped.

I. Description

The list of standard functions for threads includes a typical feature

called "quick reply". For user convenience, each post has a button that

jumps to the form field allowing to send a quick reply, whilst changing

the topic text of the reply at the top of this form. This is accomplished

using javascript and the topic that is replied to. The source code for

this button looks like this:

<a href="#message" onclick="QuickReply('24','Re: Some thread topic');">

<img src="/forum/mvnplugin/mvnforum/images/icon/button_quick_reply.gif"

border="0" alt="Quick reply to this post" title="Quick reply to this post"
/></a>

Because single quotes are not escaped in the topic context, it is possible

to break out of the second argument and execute arbitrary javascript code

in the client's browser.

II. Impact

Any user that is allowed to post anywhere can use this flaw to steal

sensitive information such as cookies from other users. Especially

because the forum uses simple reusable MD5 hashes in their cookies,

this attack makes it possible to gain unauthorized access to other

user accounts.

However, this attack relies on the user to click the quick reply

button and should therefore be considered only a moderate risk.

III. Proof of concept

Creating a new thread or replying to a thread with the following subject

will demonstrate the problem after hitting the "quick reply" button above

the post text.

Test', alert('XSS ALERT') , '

IV. Solution

At the time of writing, a fix is available in CVS.

http://mvnforum.cvs.sourceforge.net/mvnforum/mvnforum/srcweb/mvnplugin/m
vnforum/user/viewthread.jsp?r1=1.316&r2=1.317

Timeline:

2008-04-27: mvnForum authors informed

2008-05-01: Fix available in CVS

2008-05-06: Vulnerability notice published

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2.0.6 (GNU/Linux)

iD8DBQFIIMEXJQIKXnJyDxURAlOPAJ96XH9zfjLJ1jMjCCpheurxwJuqMACfbz2S

FWggJDc19FDPXiiyS+AP9iU=

=Tixo

-----END PGP SIGNATURE-----

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version