-----BEGIN PGP SIGNED MESSAGE-----
mvnForum Cross Site Scripting Vulnerability
Original release date: 2008-04-27
Last revised: 2008-05-06
Latest version: http://users.own-hero.net/~decoder/advisories/mvnforum-jsxss.txt
Source: Christian Holler <http://users.own-hero.net/~decoder/>
mvnForum 1.1 (http://www.mvnforum.com/) - A Java J2EE/Jsp/Servlet forum
An attacker who has the rights to start a new thread or to reply
that is executed when other users use the quick reply button shown
for every post.
This point of injection is possible because the topic text is part
of an "onclick" event used for the quick reply function and the
software only escapes characters that are typical for HTML cross
site script attacks. In this case, the single quote character is not
The list of standard functions for threads includes a typical feature
called "quick reply". For user convenience, each post has a button that
jumps to the form field allowing to send a quick reply, whilst changing
the topic text of the reply at the top of this form. This is accomplished
this button looks like this:
<a href="#message" onclick="QuickReply('24','Re: Some thread topic');">
border="0" alt="Quick reply to this post" title="Quick reply to this post" /></a>
Because single quotes are not escaped in the topic context, it is possible
in the client's browser.
Any user that is allowed to post anywhere can use this flaw to steal
sensitive information such as cookies from other users. Especially
because the forum uses simple reusable MD5 hashes in their cookies,
this attack makes it possible to gain unauthorized access to other
However, this attack relies on the user to click the quick reply
button and should therefore be considered only a moderate risk.
III. Proof of concept
Creating a new thread or replying to a thread with the following subject
will demonstrate the problem after hitting the "quick reply" button above
the post text.
Test', alert('XSS ALERT') , '
At the time of writing, a fix is available in CVS.
2008-04-27: mvnForum authors informed
2008-05-01: Fix available in CVS
2008-05-06: Vulnerability notice published
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.6 (GNU/Linux)
-----END PGP SIGNATURE-----