Phorum 5.2.19: Reflected XSS (IIS only) and Open Redirect

2015.08.20
Credit: Tim Coen
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: \"This forum is powered by Phorum\"

Phorum 5.2.19: Reflected XSS (IIS only) and Open Redirect Security Advisory – Curesec Research Team 1. Introduction Affected Product: Phorum 5.2.19 Fixed in: 5.2.20 Fixed Version Link: http://www.phorum.org/downloads/phorum_5_2_20.zip Vendor Contact: webmaster () phorum org Vulnerability Type: Reflected XSS (IIS only) and Open Redirect Remote Exploitable: Yes Reported to vendor: 07/14/2015 Disclosed to public: 08/17/2015 Release mode: Coordinated release CVE: n/a Google Dork: "This forum is powered by Phorum" (About 431,000 results) Credits Tim Coen of Curesec GmbH 2. Vulnerability Description Phorum 5.2.19 is vulnerable to reflected cross site scripting when running on Microsoft-IIS. With this, it is possible to inject and execute arbitrary JavaScript code. This can for example be used by an attacker to inject a JavaScript keylogger, bypass CSRF protection, or perform phishing attacks. The attack can be exploited by getting the victim to click a link or visit an attacker controlled website. Additionally, there is an open redirect vulnerability, which may aid attackers in phishing attacks. This vulnerability is not limited to Microsoft-IIS. 3. Proof of Concept The XSS injection takes place into the phorum_redirect_to GET argument: http://localhost/phorum-5.2.19/redirect.php?phorum_redirect_to=http://google.com";><script>alert(1)</script> The open redirect is possible via the same GET argument as the XSS vulnerability: http://localhost/phorum-5.2.19/redirect.php?phorum_redirect_to=http://google.com 4. Code XSS: common.php:1990 if ( stristr( $_SERVER['SERVER_SOFTWARE'], "Microsoft-IIS" ) ) { // the ugly IIS-hack to avoid crashing IIS print "<html><head>\n<title>Redirecting ...</title>\n"; print "<meta http-equiv=\"refresh\" content=\"0; URL=$redir_url\">"; print "</head>\n"; print "<body><a href=\"$redir_url\">Redirecting ...</a></body>\n"; print "</html>"; } } Open Redirect: redirect.php:29 if (isset($PHORUM["args"]["phorum_redirect_to"])) { $redir = urldecode($PHORUM["args"]["phorum_redirect_to"]); phorum_redirect_by_url($redir); } common.php:1973 function phorum_redirect_by_url( $redir_url ) { [... (no sanitation) ... ] header( "Location: $redir_url" ); [...] } 4. Solution To mitigate this issue please upgrade at least to version 5.2.20: http://www.phorum.org/downloads/phorum_5_2_20.zip Please note that a newer version might already be available. 5. Report Timeline 07/14/2015 Informed Vendor about Issue 07/19/2015 Vendor releases Version 5.2.20 08/17/2015 Disclosed to public 6. Blog Reference http://blog.curesec.com/article/blog/Phorum-5219-Reflected-XSS-IIS-only-and-Open-Redirect-45.html

References:

http://blog.curesec.com/article/blog/Phorum-5219-Reflected-XSS-IIS-only-and-Open-Redirect-45.html
http://www.phorum.org/downloads/phorum_5_2_20.zip


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top