Lucene search
K

Phorum 5.2.19 Cross Site Scripting / Open Redirect

🗓️ 18 Aug 2015 00:00:00Reported by Tim CoenType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 41 Views

Phorum 5.2.19 reflects XSS via Microsoft-IIS and open redirect vulnerability also presen

Code
`Phorum 5.2.19: Reflected XSS (IIS only) and Open Redirect  
Security Advisory – Curesec Research Team  
1. Introduction  
  
Affected Product: Phorum 5.2.19   
Fixed in: 5.2.20  
Fixed Version Link: http://www.phorum.org/downloads/phorum_5_2_20.zip   
Vendor Contact: [email protected]   
Vulnerability Type: Reflected XSS (IIS only) and Open Redirect   
Remote Exploitable: Yes   
Reported to vendor: 07/14/2015   
Disclosed to public: 08/17/2015   
Release mode: Coordinated release   
CVE: n/a   
Google Dork: "This forum is powered by Phorum" (About 431,000 results)   
Credits Tim Coen of Curesec GmbH   
  
2. Vulnerability Description  
  
Phorum 5.2.19 is vulnerable to reflected cross site scripting when  
running on Microsoft-IIS. With this, it is possible to inject and  
execute arbitrary JavaScript code. This can for example be used by an  
attacker to inject a JavaScript keylogger, bypass CSRF protection, or  
perform phishing attacks.  
  
The attack can be exploited by getting the victim to click a link or  
visit an attacker controlled website.  
  
Additionally, there is an open redirect vulnerability, which may aid  
attackers in phishing attacks. This vulnerability is not limited to  
Microsoft-IIS.  
  
3. Proof of Concept  
  
The XSS injection takes place into the phorum_redirect_to GET argument:  
  
http://localhost/phorum-5.2.19/redirect.php?phorum_redirect_to=http://google.com"><script>alert(1)</script>  
  
The open redirect is possible via the same GET argument as the XSS  
vulnerability:  
  
http://localhost/phorum-5.2.19/redirect.php?phorum_redirect_to=http://google.com  
  
4. Code  
  
XSS:  
  
common.php:1990  
if ( stristr( $_SERVER['SERVER_SOFTWARE'], "Microsoft-IIS" ) ) {  
// the ugly IIS-hack to avoid crashing IIS  
print "<html><head>\n<title>Redirecting ...</title>\n";  
print "<meta http-equiv=\"refresh\" content=\"0;  
URL=$redir_url\">";  
print "</head>\n";  
print "<body><a href=\"$redir_url\">Redirecting  
...</a></body>\n";  
print "</html>";  
}  
}  
  
Open Redirect:  
  
redirect.php:29  
if (isset($PHORUM["args"]["phorum_redirect_to"])) {  
$redir = urldecode($PHORUM["args"]["phorum_redirect_to"]);  
phorum_redirect_by_url($redir);  
}  
  
common.php:1973  
function phorum_redirect_by_url( $redir_url )  
{  
[... (no sanitation) ... ]  
header( "Location: $redir_url" );  
[...]  
}  
  
4. Solution  
  
To mitigate this issue please upgrade at least to version 5.2.20:  
  
http://www.phorum.org/downloads/phorum_5_2_20.zip  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
07/14/2015 Informed Vendor about Issue  
07/19/2015 Vendor releases Version 5.2.20  
08/17/2015 Disclosed to public  
  
6. Blog Reference  
  
http://blog.curesec.com/article/blog/Phorum-5219-Reflected-XSS-IIS-only-and-Open-Redirect-45.html  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

18 Aug 2015 00:00Current
0.1Low risk
Vulners AI Score0.1
41