Author: Jon Oberheide <jon@xxxxxxxxxxxxx> Date: Sat, March 12th, 2005 Summary ======= Application: Phorum Vendor Website: http://www.phorum.org Affected Versions: <= 5.0.14 Type of Vulnerability: Cross Site Scripting (XSS) About Phorum ============ Phorum is a web based message board written in PHP. Phorum is designed with high-availability and visitor ease of use in mind. Features such as mailing list integration, easy customization and simple installation make Phorum a powerful add-in to any website. XSS Bug #1: Attachment Filename =============================== When posting a message in a thread, Phorum allows for file attachments of various types. When a user later views the thread containing the attachment, the filename is displayed. In file.php, the filename of the attachment is not sanitized before being output, leading to our XSS attack. Posting of an attachment with a filename such as: test<script language='Javascript' src='http://test.com/test.js'>.txt will result in the execution of arbitrary javascript in an unsuspecting user's browser when they view the thread. The solution is to call PHP's htmlentities() on the filename before it is output to the user's browser. XSS Bug #2: Following Threads ============================= While the subject line of a thread is sanitized correctly in the majority of places in Phorum, it is not in follow.php. When a user attempts to "follow" or subscribe to a thread with a malicious subject, the code will be executed. The solution is to call PHP's htmlentities() on the thread subject in follow.php before it is output to the user's browser. XSS Bug #3: User Control Panel ============================== The user's personal control panel has a module showing a list of currently "followed" threads. Similar to bug #2, the thread subject line is not sanitized before this list is output. The solution is to call PHP's htmlentities() on the thread subject in the control panel before it is output to the user's browser. Timeline ======== 2005-02-20: Bug #1 discovered and vendor notified 2005-02-21: Version 5.0.14a released resolving bug #1 2005-02-22: Bug #2 and #3 discovered and vendor notified 2005-03-10: Version 5.0.15 released resolving bug #2 and #3 2005-03-12: Advisory posted to bugtraq/full-disclosure -- Jon Oberheide <jonojono@xxxxxxxxx> GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
Attachment:
signature.asc
Description: This is a digitally signed message part