Home / os / winmobile

Phorum 5.2.19 Cross Site Scripting / Open Redirect

Posted on 19 August 2015

Phorum 5.2.19: Reflected XSS (IIS only) and Open Redirect Security Advisory – Curesec Research Team 1. Introduction Affected Product: Phorum 5.2.19 Fixed in: 5.2.20 Fixed Version Link: http://www.phorum.org/downloads/phorum_5_2_20.zip Vendor Contact: webmaster@phorum.org Vulnerability Type: Reflected XSS (IIS only) and Open Redirect Remote Exploitable: Yes Reported to vendor: 07/14/2015 Disclosed to public: 08/17/2015 Release mode: Coordinated release CVE: n/a Google Dork: "This forum is powered by Phorum" (About 431,000 results) Credits Tim Coen of Curesec GmbH 2. Vulnerability Description Phorum 5.2.19 is vulnerable to reflected cross site scripting when running on Microsoft-IIS. With this, it is possible to inject and execute arbitrary JavaScript code. This can for example be used by an attacker to inject a JavaScript keylogger, bypass CSRF protection, or perform phishing attacks. The attack can be exploited by getting the victim to click a link or visit an attacker controlled website. Additionally, there is an open redirect vulnerability, which may aid attackers in phishing attacks. This vulnerability is not limited to Microsoft-IIS. 3. Proof of Concept The XSS injection takes place into the phorum_redirect_to GET argument: http://localhost/phorum-5.2.19/redirect.php?phorum_redirect_to=http://google.com"><script>alert(1)</script> The open redirect is possible via the same GET argument as the XSS vulnerability: http://localhost/phorum-5.2.19/redirect.php?phorum_redirect_to=http://google.com 4. Code XSS: common.php:1990 if ( stristr( $_SERVER['SERVER_SOFTWARE'], "Microsoft-IIS" ) ) { // the ugly IIS-hack to avoid crashing IIS print "<html><head> <title>Redirecting ...</title> "; print "<meta http-equiv="refresh" content="0; URL=$redir_url">"; print "</head> "; print "<body><a href="$redir_url">Redirecting ...</a></body> "; print "</html>"; } } Open Redirect: redirect.php:29 if (isset($PHORUM["args"]["phorum_redirect_to"])) { $redir = urldecode($PHORUM["args"]["phorum_redirect_to"]); phorum_redirect_by_url($redir); } common.php:1973 function phorum_redirect_by_url( $redir_url ) { [... (no sanitation) ... ] header( "Location: $redir_url" ); [...] } 4. Solution To mitigate this issue please upgrade at least to version 5.2.20: http://www.phorum.org/downloads/phorum_5_2_20.zip Please note that a newer version might already be available. 5. Report Timeline 07/14/2015 Informed Vendor about Issue 07/19/2015 Vendor releases Version 5.2.20 08/17/2015 Disclosed to public 6. Blog Reference http://blog.curesec.com/article/blog/Phorum-5219-Reflected-XSS-IIS-only-and-Open-Redirect-45.html

 

TOP