3 XSS Vulnerabilities in Phorum <= 5.0.14

[Jon Oberheide <jonojono () umich edu>]

Author:  Jon Oberheide <jon () oberheide org>
Date:    Sat, March 12th, 2005


Summary
=======

Application:              Phorum
Vendor Website:           http://www.phorum.org
Affected Versions:        <= 5.0.14
Type of Vulnerability:    Cross Site Scripting (XSS)


About Phorum
============

Phorum is a web based message board written in PHP.  Phorum is
designed with high-availability and visitor ease of use in mind.
Features such as mailing list integration, easy customization and
simple installation make Phorum a powerful add-in to any website.


XSS Bug #1: Attachment Filename
===============================

When posting a message in a thread, Phorum allows for file attachments
of various types.  When a user later views the thread containing the 
attachment, the filename is displayed.  In file.php, the filename of 
the attachment is not sanitized before being output, leading to our 
XSS attack.

Posting of an attachment with a filename such as:

test<script language='Javascript'
src='http:&#47;&#47;test.com&#47;test.js'>.txt

will result in the execution of arbitrary javascript in an
unsuspecting user's browser when they view the thread.

The solution is to call PHP's htmlentities() on the filename before it
is output to the user's browser.


XSS Bug #2: Following Threads
=============================

While the subject line of a thread is sanitized correctly in the
majority of places in Phorum, it is not in follow.php.  When a user 
attempts to "follow" or subscribe to a thread with a malicious 
subject, the code will be executed.

The solution is to call PHP's htmlentities() on the thread subject in
follow.php before it is output to the user's browser.


XSS Bug #3: User Control Panel
==============================

The user's personal control panel has a module showing a list of
currently "followed" threads.  Similar to bug #2, the thread subject
line is not sanitized before this list is output.

The solution is to call PHP's htmlentities() on the thread subject in
the control panel before it is output to the user's browser.


Timeline
========

2005-02-20:  Bug #1 discovered and vendor notified
2005-02-21:  Version 5.0.14a released resolving bug #1
2005-02-22:  Bug #2 and #3 discovered and vendor notified
2005-03-10:  Version 5.0.15 released resolving bug #2 and #3
2005-03-12:  Advisory posted to bugtraq/full-disclosure


-- 
Jon Oberheide <jonojono () umich edu>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE

Attachment: signature.asc
Description: This is a digitally signed message part