-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

mvnForum Cross Site Scripting Vulnerability

Original release date: 2008-04-27
Last revised: 2008-05-06
Latest version: http://users.own-hero.net/~decoder/advisories/mvnforum-jsxss.txt
Source: Christian Holler <http://users.own-hero.net/~decoder/>


Systems Affected:

 mvnForum 1.1 (http://www.mvnforum.com/) - A Java J2EE/Jsp/Servlet forum

Severity: Moderate


Overview:

 An attacker who has the rights to start a new thread or to reply
 to an existing one, is able to include javascript code using the topic,
 that is executed when other users use the quick reply button shown
 for every post.

 This point of injection is possible because the topic text is part
 of an "onclick" event used for the quick reply function and the 
 software only escapes characters that are typical for HTML cross
 site script attacks. In this case, the single quote character is not
 escaped.

I. Description

 The list of standard functions for threads includes a typical feature
 called "quick reply". For user convenience, each post has a button that
 jumps to the form field allowing to send a quick reply, whilst changing
 the topic text of the reply at the top of this form. This is accomplished
 using javascript and the topic that is replied to. The source code for
 this button looks like this:

 <a href="#message" onclick="QuickReply('24','Re: Some thread topic');">
 <img src="/forum/mvnplugin/mvnforum/images/icon/button_quick_reply.gif"
  border="0" alt="Quick reply to this post" title="Quick reply to this post" /></a>

 Because single quotes are not escaped in the topic context, it is possible
 to break out of the second argument and execute arbitrary javascript code
 in the client's browser.

II. Impact

 Any user that is allowed to post anywhere can use this flaw to steal
 sensitive information such as cookies from other users. Especially
 because the forum uses simple reusable MD5 hashes in their cookies,
 this attack makes it possible to gain unauthorized access to other
 user accounts.

 However, this attack relies on the user to click the quick reply
 button and should therefore be considered only a moderate risk.

III. Proof of concept

 Creating a new thread or replying to a thread with the following subject
 will demonstrate the problem after hitting the "quick reply" button above
 the post text.
 
 Test', alert('XSS ALERT') , '


IV. Solution

 At the time of writing, a fix is available in CVS.
 http://mvnforum.cvs.sourceforge.net/mvnforum/mvnforum/srcweb/mvnplugin/mvnforum/user/viewthread.jsp?r1=1.316&r2=1.317

Timeline:

 2008-04-27: mvnForum authors informed
 2008-05-01: Fix available in CVS
 2008-05-06: Vulnerability notice published

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.6 (GNU/Linux)

iD8DBQFIIMEXJQIKXnJyDxURAlOPAJ96XH9zfjLJ1jMjCCpheurxwJuqMACfbz2S
FWggJDc19FDPXiiyS+AP9iU=
=Tixo
-----END PGP SIGNATURE-----