SEC Consult Vulnerability Lab Security Advisory < 20130311-0 > ======================================================================= title: Persistent cross-site scripting vulnerability product: jforum vulnerable version: 2.1.9 fixed version: - impact: medium homepage: http://jforum.net/ found: 2012-09-20 CVE: by: A. Antukh SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- jforum is a powerful and robust discussion board system implemented in Java. "jforum is a discussion board software - a forum - widely known for half a decade already. It powers many big forums around the globe, including Electronic Arts' gaming forums, JavaRanch (one of the biggest and oldest Java communities), GUJ (the biggest Java development community for Portuguese speakers). It is an Open Source project, maintained by serious developers." Source: http://jforum.net/contact.jsp Vulnerability overview/description: ----------------------------------- A module "pm" provided in the standard installation of jforum includes the action "sendSave", which suffers from a persistent cross-site scripting vulnerability due to insufficient validation of user supplied data. An authenticated user is able to perform cross-site scripting attacks e.g. create relogin trojan horses or steal session cookies in the context of the affected website that uses a vulnerable version of jforum. Proof of concept: ----------------- The vulnerability is exploited due to improper validation of a certain parameter. PoC URL has been removed as no vendor patch is available. Vulnerable / tested versions: ----------------------------- The vulnerability is verified to exist in 2.1.9 version of jforum which is the most recent at the moment of writing the advisory. Fixed version: -------------- No patch available. Vendor contact timeline: ------------------------ 2012-11-15: Contacted vendor through rafael@insanecorp.com 2012-11-15: Initial vendor response - issues will be verified 2012-11-20: Under investigation / Being fixed in main codeline 2013-02-28: Vendor notification about advisory release on 2013-03-08 according to the SEC Consult responsible disclosure policy. 2013-03-05: Vendor agrees with dates of publishing the advisory, will maybe supply patch in the future (does currently not work on project) 2013-03-11: Public release of SEC Consult advisory Workaround: ----------- No workaround available Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com http://blog.sec-consult.com EOF A. Antukh / @2013 SEC Consult Vulnerability Lab Security Advisory < 20130311-0 > ======================================================================= title: Persistent cross-site scripting vulnerability product: jforum vulnerable version: 2.1.9 fixed version: - impact: medium homepage: http://jforum.net/ found: 2012-09-20 CVE: by: A. Antukh SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- jforum is a powerful and robust discussion board system implemented in Java. "jforum is a discussion board software - a forum - widely known for half a decade already. It powers many big forums around the globe, including Electronic Arts' gaming forums, JavaRanch (one of the biggest and oldest Java communities), GUJ (the biggest Java development community for Portuguese speakers). It is an Open Source project, maintained by serious developers." Source: http://jforum.net/contact.jsp Vulnerability overview/description: ----------------------------------- A module "pm" provided in the standard installation of jforum includes the action "sendSave", which suffers from a persistent cross-site scripting vulnerability due to insufficient validation of user supplied data. An authenticated user is able to perform cross-site scripting attacks e.g. create relogin trojan horses or steal session cookies in the context of the affected website that uses a vulnerable version of jforum. Proof of concept: ----------------- The vulnerability is exploited due to improper validation of a certain parameter. PoC URL has been removed as no vendor patch is available. Vulnerable / tested versions: ----------------------------- The vulnerability is verified to exist in 2.1.9 version of jforum which is the most recent at the moment of writing the advisory. Fixed version: -------------- No patch available. Vendor contact timeline: ------------------------ 2012-11-15: Contacted vendor through rafael@insanecorp.com 2012-11-15: Initial vendor response - issues will be verified 2012-11-20: Under investigation / Being fixed in main codeline 2013-02-28: Vendor notification about advisory release on 2013-03-08 according to the SEC Consult responsible disclosure policy. 2013-03-05: Vendor agrees with dates of publishing the advisory, will maybe supply patch in the future (does currently not work on project) 2013-03-11: Public release of SEC Consult advisory Workaround: ----------- No workaround available Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com http://blog.sec-consult.com EOF A. Antukh / @2013