Subject: Fuse Talk Vunerabilities
Date: Wednesday 05 May 2004 13:15 pm
From: Stuart Jamieson <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
As well as well known XSS vunerabilities the latest version 4.0 seems to have
some other issues.
Unpatched releases of V4.0 allow the user to access the Template banning.cfm
without any administrative privleages. All users of the software should
check with fusetalk.com for the latest security patches to prevent this
being misused.
Access to this template allows any user to ban any other users and seems to
be particularly vunerable. Fortunately it does not affect the administration
templates, merely the moderation ones so the chances of an attacker gaining
higher levels of access seem unlikely.
Another issue seems to exist which I have only so far tested on Version 2.0
and am unsure if this also occurs in V3-4, it appears that within the
administration templates adduser.cfm allows parameters to be passed by a get
statement rather than a post statement.
This potential vunerability could allow a hostile to create a new account by
tricking some other person with moderator powers. Although it may seem
obvious that a link to
http://www.victim.com/admin/adduser.cfm?FTVAR_FIRSTNAMEFRM=God&FTVAR_LASTNAME
FRM=God&[EMAIL PROTECTED]&FTVAR_USERNAMEFRM=attacker&F
TVAR_PASSWORDFRM=coolpass&FTVAR_PASSWORD2FRM=coolpass&FTVAR_USERFORUMSFRM=0&F
TVAR_USERTYPEFRM=g&FTVAR_USERLEVELFRM=0&FTVAR_STATUSFRM=1&FTVAR_CITYFRM=&FTVA
R_STATEFRM=70&FTVAR_COUNTRYFRM=36&FTVAR_SCRIPTRUN=self.close%28%29%3B&FTVAR_R
ETURNERROR=Yes&FT_ACTION=adduser
would create a new account, if the adress is hidden within an image tag
[img][/img] then the event will fire the creation of the account when the
administrators web browser attempts to download the image.
This could be extended by the variable FTVAR_SCRIPTRUN=self.close which even
in not creating an account would be capable running malicious _javascript_
when an administrative user attempted to follow the link.
Since fusetalk relies nearly entirely on POST based data the best fix for
this is to restrict posting of data by a GET statement.
-------------------------------------------------------
--
Tom Chiverton
Advanced ColdFusion Programmer
Tel: +44(0)1749 834997
email: [EMAIL PROTECTED]
BlueFinger Limited
Underwood Business Park
Wookey Hole Road, WELLS. BA5 1AF
Tel: +44 (0)1749 834900
Fax: +44 (0)1749 834901
web: www.bluefinger.com
Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple
Quay, BRISTOL. BS1 6EG.
*** This E-mail contains confidential information for the addressee
only. If you are not the intended recipient, please notify us
immediately. You should not use, disclose, distribute or copy this
communication if received in error. No binding contract will result from
this e-mail until such time as a written document is signed on behalf of
the company. BlueFinger Limited cannot accept responsibility for the
completeness or accuracy of this message as it has been transmitted over
public networks.***
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
