<<< Date Index >>>     <<< Thread Index >>>

Multiple Cross Site Scripting Vulnerabilities in FuseTalk



Date:     October 12, 2004
Vendor:   FuseTalk
Issue:    Multiple Cross Site Scripting Vulnerabilities
URL:      http://www.fusetalk.com
Advisory: http://www.lovebug.org/fusetalk_advisory.txt

Notes:

The vendor was contacted last month and responded that:
"all of these issues below were fixed in "Security Patches" released
04/21/2004 & 05/04/2004.  All customers were notified of these and were to
apply them.  The site you are visiting obviously has not applied these
patches and should.  If you do not the person in charge of that site you
visit you might want them to email me sales [AT] fusetalk.com and I can let
them know where to go and get those patches.

However, it appears a large number of sites running FuseTalk are vulnerable
and even the Demo Enterprise Edition on their homepage is currently
vulnerable.  It would appear these patches are not making their way around
very well and/or do not fix all the below listed problems.

Issue:

I am not 100% sure of the version of sites I have found to be vulnerable use
or if their vulnerabilities exist in all similar versions of FuseTalk.  It
might be possible that some level of customization has occurred and spawned
the vulnerability.  In any case, I will explain the circumstances in which
the problem can be recreated as I found it.  Finally, the FuseTalk website
itself contains a CSS vulnerability in the latest FuseTalk Enterprise
Edition demo edition. It would appear Fuse Talk Enterprise Edition 2.0 and
other versions are all affected.

1) The data that is sent to searchresults.cfm does not appear to be
filtered.  Sending it a search string such as
<script>alert(document.cookie)</script> will yield a popup with the cookie
data.

2) In some forums (often older version) when viewing the profile of users,
if scripting code is passed into tombstone.cfm?ProfileID i.e.
(tombstone.cfm?ProfileID=<script>alert(document.cookie)</script>) the text
is once again unfiltered and the script with be executed

3) One of the major sites I use automatically returns and error page that
will not filter and pretty much executes any script sent to any FuseTalk
url.  I am not sure if this is their own setup or a FuseTalk option.  I am
under the assumption it is their own 404 issue.  However, if there is a
setting that brings all invalid pages to a screen that says: "Page Not Found
The web page you requested could not be found. Please check to make sure you
entered the correct information." then this makes any url that FuseTalk
processes vulnerable as well.

4) Lastly:

Now in the Enterprise Edition as the demon demo on the website, I have only
found one CSS vulnerability thus far.  That error lies within
usersearchresults.cfm?keyword="SCRIPT".  We can recreate the same CSS
problems above with the url:
http://www.fusetalk.com/forum/usersearchresults.cfm?keyword=<script>alert(document.cookie)</script>&FT_ACTION=SearchUsers

Solution:

It seems Spiffomatic64 has reported a different CSS problem with FuseTalk
earlier today and his suggestions should apply just the same.

Credits:

Thanks to Virginia Tech for the edumucation I am receiving and to my
girlfirend for being so sweet. [SDC]

-Steven
steven@xxxxxxxxxxx
www.lovebug.org/