mvnForum 1.1 Cross Site Scripting
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
mvnForum Cross Site Scripting Vulnerability
Original release date: 2008-04-27
Last revised: 2008-05-06
Latest version: http://users.own-hero.net/~decoder/advisories/mvnforum-jsxss.txt
Source: Christian Holler <http://users.own-hero.net/~decoder/>
Systems Affected:
mvnForum 1.1 (http://www.mvnforum.com/) - A Java J2EE/Jsp/Servlet forum
Severity: Moderate
Overview:
An attacker who has the rights to start a new thread or to reply
to an existing one, is able to include javascript code using the topic,
that is executed when other users use the quick reply button shown
for every post.
This point of injection is possible because the topic text is part
of an "onclick" event used for the quick reply function and the
software only escapes characters that are typical for HTML cross
site script attacks. In this case, the single quote character is not
escaped.
I. Description
The list of standard functions for threads includes a typical feature
called "quick reply". For user convenience, each post has a button that
jumps to the form field allowing to send a quick reply, whilst changing
the topic text of the reply at the top of this form. This is accomplished
using javascript and the topic that is replied to. The source code for
this button looks like this:
<a href="#message" onclick="QuickReply('24','Re: Some thread topic');">
<img src="/forum/mvnplugin/mvnforum/images/icon/button_quick_reply.gif"
border="0" alt="Quick reply to this post" title="Quick reply to this post"
/></a>
Because single quotes are not escaped in the topic context, it is possible
to break out of the second argument and execute arbitrary javascript code
in the client's browser.
II. Impact
Any user that is allowed to post anywhere can use this flaw to steal
sensitive information such as cookies from other users. Especially
because the forum uses simple reusable MD5 hashes in their cookies,
this attack makes it possible to gain unauthorized access to other
user accounts.
However, this attack relies on the user to click the quick reply
button and should therefore be considered only a moderate risk.
III. Proof of concept
Creating a new thread or replying to a thread with the following subject
will demonstrate the problem after hitting the "quick reply" button above
the post text.
Test', alert('XSS ALERT') , '
IV. Solution
At the time of writing, a fix is available in CVS.
http://mvnforum.cvs.sourceforge.net/mvnforum/mvnforum/srcweb/mvnplugin/mvnforum/user/viewthread.jsp?r1=1.316&r2=1.317
Timeline:
2008-04-27: mvnForum authors informed
2008-05-01: Fix available in CVS
2008-05-06: Vulnerability notice published
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.6 (GNU/Linux)
iD8DBQFIIMEXJQIKXnJyDxURAlOPAJ96XH9zfjLJ1jMjCCpheurxwJuqMACfbz2S
FWggJDc19FDPXiiyS+AP9iU=
=Tixo
-----END PGP SIGNATURE-----