-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
mvnForum Cross Site Scripting Vulnerability Original release date: 2008-04-27 Last revised: 2008-05-06 Latest version: http://users.own-hero.net/~decoder/advisories/mvnforum-jsxss.txt Source: Christian Holler <http://users.own-hero.net/~decoder/> Systems Affected: mvnForum 1.1 (http://www.mvnforum.com/) - A Java J2EE/Jsp/Servlet forum Severity: Moderate Overview: An attacker who has the rights to start a new thread or to reply to an existing one, is able to include javascript code using the topic, that is executed when other users use the quick reply button shown for every post. This point of injection is possible because the topic text is part of an "onclick" event used for the quick reply function and the software only escapes characters that are typical for HTML cross site script attacks. In this case, the single quote character is not escaped. I. Description The list of standard functions for threads includes a typical feature called "quick reply". For user convenience, each post has a button that jumps to the form field allowing to send a quick reply, whilst changing the topic text of the reply at the top of this form. This is accomplished using javascript and the topic that is replied to. The source code for this button looks like this: <a href="#message" onclick="QuickReply('24','Re: Some thread topic');"> <img src="/forum/mvnplugin/mvnforum/images/icon/button_quick_reply.gif" border="0" alt="Quick reply to this post" title="Quick reply to this post" /></a> Because single quotes are not escaped in the topic context, it is possible to break out of the second argument and execute arbitrary javascript code in the client's browser. II. Impact Any user that is allowed to post anywhere can use this flaw to steal sensitive information such as cookies from other users. Especially because the forum uses simple reusable MD5 hashes in their cookies, this attack makes it possible to gain unauthorized access to other user accounts. However, this attack relies on the user to click the quick reply button and should therefore be considered only a moderate risk. III. Proof of concept Creating a new thread or replying to a thread with the following subject will demonstrate the problem after hitting the "quick reply" button above the post text. Test', alert('XSS ALERT') , ' IV. Solution At the time of writing, a fix is available in CVS. http://mvnforum.cvs.sourceforge.net/mvnforum/mvnforum/srcweb/mvnplugin/mvnforum/user/viewthread.jsp?r1=1.316&r2=1.317 Timeline: 2008-04-27: mvnForum authors informed 2008-05-01: Fix available in CVS 2008-05-06: Vulnerability notice published -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.6 (GNU/Linux) iD8DBQFIIMEXJQIKXnJyDxURAlOPAJ96XH9zfjLJ1jMjCCpheurxwJuqMACfbz2S FWggJDc19FDPXiiyS+AP9iU= =Tixo -----END PGP SIGNATURE-----
