Lithium Forum - Client Side POST Inject Vulnerability

2015-12-22T00:00:00
ID VULNERLAB:1519
Type vulnerlab
Reporter Evolution Security GmbH & Vulnerability Laboratory [Research Team] – Hadji Samir Contact: admin@vulnerability-lab.com
Modified 2015-12-22T00:00:00

Description

A client-side cross site scripting web vulnerability has been discovered in the official Microsoft Skype Community online service web-application. The security vulnerability allows remote attackers to manipulate client-side application to browser requests to compromise session data/information.

The security vulnerability is located in the filename value of the Skype Community - t5/forums/postpage.messageeditorform.form.form.form module. Remote attackers are able to inject malicious script codes to client-side application requests. Remote attackers are able to prepare special crafted weblinks to execute client-side script code that compromises the skype community forum user/admin session data. The execution of the script code occurs in the exception-handling of the upload POST method request. The attack vector of the vulnerability is located on the client-side of the online-service and the request method to inject or execute the code is POST. Due to the testings and research we figured out that several high class vendors using the commercial lithium web-application.

The security risk of the non-persistent cross site vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.7. Exploitation of the non-persistent cross site scripting web vulnerability requires a low privilege web application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing, non-persistent external redirects, non-persistent load of malicious script codes or non-persistent web module context manipulation.

Request Method(s): [+] POST

Vulnerable Module(s): [+] Skype Community > t5/forums/

Vulnerable File(s): [+] t5/forums/postpage.messageeditorform.form.form.form

Vulnerable Parameter(s): [+] filename