Bug: PyForum 1.0.3 Multiple Vulnerabilities (WLB-2009120171 Ascii Version)

English Version
WLB2

CVE WLB2

WLB2
Full List
Bugs
Bogus
Tricks
Exploits
CVE MAP
Full List
Vendors
Products
Tools
CWE Dictionary
Google Hacking
Search
General
CVE
CWE
RSS
Full List
Bugs
Exploits
Dorks
Information
Our services
Add note
About
Submit

To add a note,

use this form

or send email to

submit@cxsecurity.com

When contacting via email, we recommend coded messages.

Get our PGP public key

 Topic: PyForum 1.0.3 Multiple Vulnerabilities
 Credit: Nam Nguyen
 Date: 2009.12.26
 CWE: CWE-352 (Show similar)
CWE-79 (Show similar)
 CVE: CVE-2009-4407 (Show details)
CVE-2009-4408 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

Risk
Local
Remote
Medium
No
Yes

BLUE MOON SECURITY ADVISORY 2009-08
===================================

:Title: Multiple Vulnerabilities in PyForum
:Severity: Critical
:Reporter: Hoang Quoc Thinh and Blue Moon Consulting
:Products: PyForum v1.0.3
:Fixed in: --

Description
-----------

PyForum is a 100% python-based message board system based in the excellent web2py framework.

We have discovered cross site scripting and cross site request forgery vulnerabilities in PyForum. The first allows
arbitrary script to run when a post is viewed. The second allows attackers to submit forms (such as changing password)
automatically without user's knowledge.

XSS vulnerability lies in the BBcode parsing in module ``models.parser``. The ``img`` and ``url`` tags do not sanitize
inputs and hence are susceptible to script injection.

CSRF vulnerability lies in the design of this web application. Forms do not have secure cookies and may be automatically
submitted on behalf of the user.

These bugs are rated at critical because they can be easily exploited and cause lost of integrity.

These bugs may exist in older versions and in zForum, from which pyForum derives, too.

Workaround
----------

There is no workaround.

Fix
---

There is no fix at the moment.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

December 05, 2009: Notice sent to Julio Flores Schwarzbeck (techfuel.net)

December 09, 2009: Reminder sent to Julio Flores Schwarzbeck

:Vendor response:

--

:Further communication:

--

:Public disclosure: December 15, 2009

:Exploit code:

No exploit code required.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon
Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and
fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is
at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iEYEARECAAYFAksnAdgACgkQbKzcTD214ZeihgCghPM9vqQDXC7M379YxVixzhms
yboAn3FonHLdWH3kf4UTNZVIeGq008Co
=nuqZ
-----END PGP SIGNATURE-----

References:

http://xforce.iss.net/xforce/xfdb/54855
http://www.securityfocus.com/archive/1/archive/1/508478/100/0/threaded
http://www.osvdb.org/61051
http://secunia.com/advisories/37764

[ ASCII VERSION ]
Copyright 2012, cxsecurity.com