Re: XXS in script Phorum

To: RaeD Hasadya <raed@xxxxxxxxxxx>
Subject: Re: XXS in script Phorum
From: Maurice Makaay <maurice.makaay@xxxxxxxxxxx>
Date: Tue, 06 Mar 2007 14:06:36 +0100
Cc: Bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20070304115807.B76F5CA0A4@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20070304115807.B76F5CA0A4@xxxxxxxxxxxxxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.9 (X11/20070104)

RaeD Hasadya wrote:

=======================================================================
Script : Script Phorum
Found By : Hasadya Raed
Contact : RaeD@xxxxxxxxxxx
=================================================
exemple:
http://www.site.com/[path]/admin.php?upgradefile=";>**********alert(********.******);</script>
======================
Greetz : Only To Security Focus :)

Is this output coming from some automated security checking script orwhat? It looks a lot like it, since the reporter apparently did not lookat the PHP code or wasn't capable of understanding what the PHP codedoes. On the 7th of februari, the same kind of report was issued alreadyby Crack_man <c_r_ck@xxxxxxxxxxx>. The contents of that report were:


=======================================================================
title: XXS in script Phorum

homepage: www.phorum.org
found: 2007-02-25
by: Crack_man

=================================================
exemple:
http://www.site.com/[path]/admin.php?upgradefile=";><script>alert(document.cookie);</script>
======================

greetz : all friend

We replied to that previous report that it was classified as a 100%bogus report, after investigating the Phorum source code. So why reportit again? Here is the reply that we sent in response to the first report:


--------------

Once again, a false report about Phorum.  Please issue an apology ASAP.

1. upgradefiles as a var is only used inside a function.  PHP does not take 
variables from the global scope for use in functions automatically.

2. 2 lines before that var is echoed, it is set by reading a file name from 
disk using the dir() function in PHP.

3. The dir() function reads from a hard coded, relative path on disk and does 
not use a variable.

Thanks for trying.  If you find a real bug, please let us know.  We strive to 
make Phorum as bug free as possible.
--------------


This response still stands.
This bug report is a fake.


With kind regards,

Maurice Makaay
Phorum.org developer

References:
- XXS in script Phorum
  - From: RaeD Hasadya

Prev by Date: Apple QuickTime udta ATOM Integer Overflow
Next by Date: [security bulletin] HPSBUX02153 SSRT061181 rev.3 - HP-UX Running Firefox, Remote Unauthorized Access or Elevation of Privileges or Denial of Service (DoS)
Previous by thread: XXS in script Phorum
Next by thread: MTCMS multiple upload vulnerabilities
Index(es):
- Date
- Thread