Phorum 5.2.19: Reflected XSS (IIS only) and Open Redirect
Security Advisory – Curesec Research Team
1. Introduction

Affected Product:   Phorum 5.2.19  
Fixed in:     5.2.20
Fixed Version Link:   http://www.phorum.org/downloads/phorum_5_2_20.zip  
Vendor Contact:   webmaster@phorum.org  
Vulnerability Type:   Reflected XSS (IIS only) and Open Redirect  
Remote Exploitable:   Yes  
Reported to vendor:   07/14/2015  
Disclosed to public:   08/17/2015  
Release mode:     Coordinated release  
CVE:   n/a  
Google Dork:     "This forum is powered by Phorum" (About 431,000 results)  
Credits     Tim Coen of Curesec GmbH  

2. Vulnerability Description

Phorum 5.2.19 is vulnerable to reflected cross site scripting when
running on Microsoft-IIS. With this, it is possible to inject and
execute arbitrary JavaScript code. This can for example be used by an
attacker to inject a JavaScript keylogger, bypass CSRF protection, or
perform phishing attacks.

The attack can be exploited by getting the victim to click a link or
visit an attacker controlled website.

Additionally, there is an open redirect vulnerability, which may aid
attackers in phishing attacks. This vulnerability is not limited to
Microsoft-IIS.

3. Proof of Concept

The XSS injection takes place into the phorum_redirect_to GET argument:

http://localhost/phorum-5.2.19/redirect.php?phorum_redirect_to=http://google.com"><script>alert(1)</script>

The open redirect is possible via the same GET argument as the XSS
vulnerability:

http://localhost/phorum-5.2.19/redirect.php?phorum_redirect_to=http://google.com

4. Code

XSS:

    common.php:1990
            if ( stristr( $_SERVER['SERVER_SOFTWARE'], "Microsoft-IIS" ) ) {
                // the ugly IIS-hack to avoid crashing IIS
                print "<html><head>\n<title>Redirecting ...</title>\n";
                print "<meta http-equiv=\"refresh\" content=\"0;
URL=$redir_url\">";
                print "</head>\n";
                print "<body><a href=\"$redir_url\">Redirecting
...</a></body>\n";
                print "</html>";
            }
        }

Open Redirect:

    redirect.php:29
      if (isset($PHORUM["args"]["phorum_redirect_to"])) {
        $redir = urldecode($PHORUM["args"]["phorum_redirect_to"]);
        phorum_redirect_by_url($redir);
      }

    common.php:1973
      function phorum_redirect_by_url( $redir_url )
      {
      [... (no sanitation) ... ]
      header( "Location: $redir_url" );
      [...]
      }

4. Solution

To mitigate this issue please upgrade at least to version 5.2.20:

http://www.phorum.org/downloads/phorum_5_2_20.zip

Please note that a newer version might already be available.

5. Report Timeline

07/14/2015   Informed Vendor about Issue
07/19/2015   Vendor releases Version 5.2.20
08/17/2015   Disclosed to public

6. Blog Reference

http://blog.curesec.com/article/blog/Phorum-5219-Reflected-XSS-IIS-only-and-Open-Redirect-45.html