Phorum versions 5.0.14 and below are susceptible to multiple cross site scripting bugs.
27877b750246ca31ff8d8fb14fd92cf6f6b17f67dd2d3a26b69a7ccc5040b9cc
Author: Jon Oberheide <jon@oberheide.org>
Date: Sat, March 12th, 2005
Summary
=======
Application: Phorum
Vendor Website: http://www.phorum.org
Affected Versions: <= 5.0.14
Type of Vulnerability: Cross Site Scripting (XSS)
About Phorum
============
Phorum is a web based message board written in PHP. Phorum is
designed with high-availability and visitor ease of use in mind.
Features such as mailing list integration, easy customization and
simple installation make Phorum a powerful add-in to any website.
XSS Bug #1: Attachment Filename
===============================
When posting a message in a thread, Phorum allows for file attachments
of various types. When a user later views the thread containing the
attachment, the filename is displayed. In file.php, the filename of
the attachment is not sanitized before being output, leading to our
XSS attack.
Posting of an attachment with a filename such as:
test<script language='Javascript'
src='http://test.com/test.js'>.txt
will result in the execution of arbitrary javascript in an
unsuspecting user's browser when they view the thread.
The solution is to call PHP's htmlentities() on the filename before it
is output to the user's browser.
XSS Bug #2: Following Threads
=============================
While the subject line of a thread is sanitized correctly in the
majority of places in Phorum, it is not in follow.php. When a user
attempts to "follow" or subscribe to a thread with a malicious
subject, the code will be executed.
The solution is to call PHP's htmlentities() on the thread subject in
follow.php before it is output to the user's browser.
XSS Bug #3: User Control Panel
==============================
The user's personal control panel has a module showing a list of
currently "followed" threads. Similar to bug #2, the thread subject
line is not sanitized before this list is output.
The solution is to call PHP's htmlentities() on the thread subject in
the control panel before it is output to the user's browser.
Timeline
========
2005-02-20: Bug #1 discovered and vendor notified
2005-02-21: Version 5.0.14a released resolving bug #1
2005-02-22: Bug #2 and #3 discovered and vendor notified
2005-03-10: Version 5.0.15 released resolving bug #2 and #3
2005-03-12: Advisory posted to bugtraq/full-disclosure
--
Jon Oberheide <jonojono@umich.edu>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE