=========================================================== txtForum: Script Injection Vulnerability =========================================================== Technical University of Vienna Security Advisory TUVSA-0603-004, March 9, 2006 ===========================================================
Versions 1.0.4-dev and prior.
There is an include statement in the file common.php on line 46 that makes use of the SKIN constant, which was previously defined via the $skin variable. Under the following conditions, an attacker can inject arbitrary PHP script into the application:
All the attacker has to do is find a path through the program that doesn't initialize the $skin variable. The attacker does not require access to an account in the forum. Here is an example for an attack page:
This leads to execution of the code in http://evilserver.com/header.tpl. There might be further possibilities for exploits (similar include statements can also be found on lines 53 and 61).
There is no solution to this issue yet.
March 2, 2006: Vulnerability reported to and acknowledged by the developer (I.Konforti). A fix is not planned.
March 9, 2006: Advisory submission.
Nenad Jovanovic Secure Systems Lab Technical University of Vienna www.seclab.tuwien.ac.at