{"id": "PACKETSTORM:111691", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "CsForum 0.8 Cross Site Scripting", "description": "", "published": "2012-04-08T00:00:00", "modified": "2012-04-08T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/111691/CsForum-0.8-Cross-Site-Scripting.html", "reporter": "Chokri Ben Achor", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2016-11-03T10:16:24", "viewCount": 9, "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.2}, "_state": {"dependencies": 1678911500, "score": 1678911848, "epss": 1678917342}, "_internal": {"score_hash": "1f6e6ea9a89af0742e957469fb52f844"}, "sourceHref": "https://packetstormsecurity.com/files/download/111691/VL-496.txt", "sourceData": "`Title: \n====== \nCsForum v0.8 - Cross Site Scripting Vulnerability \n \n \nDate: \n===== \n2012-04-05 \n \n \nReferences: \n=========== \nhttp://www.vulnerability-lab.com/get_content.php?id=496 \n \n \nVL-ID: \n===== \n496 \n \n \nIntroduction: \n============= \nForum very simple installation, this script is very light and yet it has several functionalities such as marking of read messages \ndisplay tree with sending mail in case of response. It is also very easy to integrate in your site thanks to the insertion of pages \nof your choice before and after the forum header.php and footer.php \n \n(Copy of the Vendor Homepage: http://www.comscripts.com/scripts/php.cs-forum.643.html ) \n \n \nAbstract: \n========= \nA Vulnerability Laboratory Researcher discovered a Cross Site Scripting Vulnerability on CsForum v0.8 application. \n \n \nReport-Timeline: \n================ \n2012-04-08: Public or Non-Public Disclosure \n \n \nStatus: \n======== \nPublished \n \n \nExploitation-Technique: \n======================= \nRemote \n \n \nSeverity: \n========= \nLow \n \n \nDetails: \n======== \nA client side cross site scripting vulnerability is detected on the CsForum v0.8 application. \nThe vulnerability allows an attacker with privileged user account to hijack customer/moderator/admin sessions with high required user inter \naction. Successful exploitation can result in account steal or client side context manipulation when processing affected module \napplication requests. \n \nVulnerable Module(s): \n[+] read.php \n \nPicture(s): \n../1.png \n \n \nProof of Concept: \n================= \nThe vulnerability can be exploited by remote attacker with medium required user inter action. For demonstration or reproduce ... \n \nString : \"><img src=\"tester1337.png\" onerror=alert(\"CROSS-SITE-SCRIPTING2\") /> \n \n.Proof : \n<img src=\"tester1337.png\" onerror=alert(\"cross-site-scripting2\") />\" title=\"Site de l'auteur\"> \n \nExample : http://alain.lc.free.fr/csforum8/read.php?id=527&debut=8 \n \n \nRisk: \n===== \nThe security risk of the client side cross site scripting vulnerability is estimated as low. \n \n \nCredits: \n======== \nVulnerability Research Laboratory - Chokri B.A. (Me!ster) \n \n \nDisclaimer: \n=========== \nThe information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, \neither expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- \nLab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business \nprofits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some \nstates do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation \nmay not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- \nLab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of \nother media, are reserved by Vulnerability-Lab or its suppliers. \n \nCopyright \u00a9 2012 Vulnerability-Lab \n \n \n \n \n-- \nVULNERABILITY RESEARCH LABORATORY TEAM \nWebsite: www.vulnerability-lab.com \nMail: research@vulnerability-lab.com \n \n`\n"}
CsForum 0.8 Cross Site Scripting