BugTraq
Back to list
|
Post reply
Multiple Vulnerabilities in Splatt Forum 4.0
May 01 2003 06:58PM
Frame4 Security Systems (webmaster frame4 com)
========================================================================
===
====
FRAME4 SECURITY ADVISORY [FSA-2003:001]
------------------------------------------------------------------------
---
----
PRODUCT : Splatt Forum 4.0 for PHP-Nuke 6.0
PRODUCT/VENDOR URL : http://www.splatt.it/
TYPE : Vulnerability / Exploit
IMPACT : Medium
SUMMARY : Multiple Vulnerabilities in Splatt Forum 4.0
DISCOVERY DATE : 26/03/2003
PUBLIC RELEASE : 01/05/2003
AFFECTED VERSION(S): Splatt Forum 4.0 (as of discovery date)
FIXED VERSION(S) : Splatt Forum 4.0 Fix 1 (not tested)
VENDOR NOTIFIED : No
------------------------------------------------------------------------
---
----
BACKGROUNDER:
Splatt Forum is a MySQL driven, PHP-based forum system that fully
integrates in
to PHP-Nuke, the popular CMS system by Fransisco Burzi.
INTRODUCTION:
We have discovered two vulnerabilities in the vanilla version of Splatt
Forum
4.0 for PHP-Nuke 6.0; an XSS Vulnerability and an HTML/Code Injection Flaw.
The vulnerabilities and accompanying exploits were discovered and executed
upon
only one web site, and verified by Webmaster (webmaster (at) frame4 (dot) com [email concealed]).
ADVISORY URL:
http://frame4.com/php/modules.php?
name=News&file=categories&op=newindex&catid=4
http://www.frame4.com/content/advisories/FSA-2003-001.txt
VENDOR CONTACT:
None. We didn't contact the vendor as 'Splatt' has a very bad track record
when
it comes to replying to security reports and fixing issues. The web site
of the
vendor is almost entirely in Italian which makes vendor contact difficult.
VULNERABILITY DESCRIPTION:
Please refer to the 'Technical Description' section below, for full
description
of the problem(s).
VULNERABLE APPLICATION(S)/PACKAGE(S)/VERSION(S):
"Out-of-the-box" version of Splatt Forum 4.0 for PHP-Nuke 6.0.
Although this is the ONLY version tested for the moment, it is highly
possible
that other versions are open to similar attacks.
SOLUTION/VENDOR INFORMATION/WORKAROUND:
There are various possible solutions going around at the forums at
splatt.it,
though the forums are in Italian and the English translations are often
poor.
Recently, Splatt Forum 4.0 Fix 1 has been released; but this is yet
untested.
TECHNICAL DESCRIPTION - EXPLOIT/CONCEPT CODE:
[001] XSS Vulnerability
Post a message (Anonymous is OK) containing the following message body:
#
Some test text for fun <script>alert(document.cookie);</script> some more
text
goes here...
#
This causes the rendering of the script upon reading (loading) of the page
by
the next user. The JS is rendered FIRST, before the user can perform a
cancel
action.
[002] HTML/Code Injection Flaw
Perform a search with the keywords:
<iframe src="http://somesite.com">
Upon rendering of the search results the remote site or any local page
will be
rendered in the IFRAME. I am sure other JS exploits are renderable as well,
especially the IE 5-6 crash exploits (null objects) and remote JS cookie
snarfing.
CREDITS:
The vulnerabilities outlined in this advisory and accompanying sample code
have
been discovered by morning_wood (morning_wood (at) thepub.co (dot) za [email concealed]) of Morning
Wood,Inc
(http://take.candyfrom.us/).
At the time of discovery this vulnerability was considered 0-day as the
related
testing was performed "on the fly" as a curiosity test. The above exploits
have
not been circulated through the underground community and are presented
here as
a PUBLIC DISCLOSURE.
REFERENCES:
None.
ABOUT:
Frame4 Security Systems is a new security partner, empowering clients with
the
necessary knowledge and products to protect and secure their computer
systems.
Headquartered in The Netherlands, Frame4 can be reached at +31(0)172-
515901 or
on the Web at http://www.frame4.com/.
DISCLAIMER:
This advisory is a Frame4 Security Systems ("Frame4") publication, all
rights
reserved (c) 2003. You may (re-)distribute the text as long as the content
is
not changed in any way and with this header text intact. If you want to
serve
this paper on your web site/FTP/Newsgroup/etc., we encourage you to do so,
as
long as no changes are made without the prior permission of the author(s),
no
fees are charged and proper credit is given.
IMPORTANT -- THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY. To the
maximum
extent permitted by applicable law, in no event shall Frame4 Security
Systems
be liable for any damages whatsoever, (including, without limitation,
damages
for loss of any business profits, business interruption, loss of any
business
information, or other pecuniary loss) arising out of the use, or inability
to
use any software, and/or procedures outlined in this document, even if
Frame4
Security Systems has been advised of the possibility of such damage(s).
There
are NO warranties with regard to this information.
This advisory is the property of Frame4 Security Systems, all rights
reserved.
Copyright (c) 1999-2003 Frame4 Security Systems -- http://www.frame4.com/
========================================================================
===
====
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
========================================================================
===
====
FRAME4 SECURITY ADVISORY [FSA-2003:001]
------------------------------------------------------------------------
---
----
PRODUCT : Splatt Forum 4.0 for PHP-Nuke 6.0
PRODUCT/VENDOR URL : http://www.splatt.it/
TYPE : Vulnerability / Exploit
IMPACT : Medium
SUMMARY : Multiple Vulnerabilities in Splatt Forum 4.0
DISCOVERY DATE : 26/03/2003
PUBLIC RELEASE : 01/05/2003
AFFECTED VERSION(S): Splatt Forum 4.0 (as of discovery date)
FIXED VERSION(S) : Splatt Forum 4.0 Fix 1 (not tested)
VENDOR NOTIFIED : No
------------------------------------------------------------------------
---
----
BACKGROUNDER:
Splatt Forum is a MySQL driven, PHP-based forum system that fully
integrates in
to PHP-Nuke, the popular CMS system by Fransisco Burzi.
INTRODUCTION:
We have discovered two vulnerabilities in the vanilla version of Splatt
Forum
4.0 for PHP-Nuke 6.0; an XSS Vulnerability and an HTML/Code Injection Flaw.
The vulnerabilities and accompanying exploits were discovered and executed
upon
only one web site, and verified by Webmaster (webmaster (at) frame4 (dot) com [email concealed]).
ADVISORY URL:
http://frame4.com/php/modules.php?
name=News&file=categories&op=newindex&catid=4
http://www.frame4.com/content/advisories/FSA-2003-001.txt
VENDOR CONTACT:
None. We didn't contact the vendor as 'Splatt' has a very bad track record
when
it comes to replying to security reports and fixing issues. The web site
of the
vendor is almost entirely in Italian which makes vendor contact difficult.
VULNERABILITY DESCRIPTION:
Please refer to the 'Technical Description' section below, for full
description
of the problem(s).
VULNERABLE APPLICATION(S)/PACKAGE(S)/VERSION(S):
"Out-of-the-box" version of Splatt Forum 4.0 for PHP-Nuke 6.0.
Although this is the ONLY version tested for the moment, it is highly
possible
that other versions are open to similar attacks.
SOLUTION/VENDOR INFORMATION/WORKAROUND:
There are various possible solutions going around at the forums at
splatt.it,
though the forums are in Italian and the English translations are often
poor.
Recently, Splatt Forum 4.0 Fix 1 has been released; but this is yet
untested.
TECHNICAL DESCRIPTION - EXPLOIT/CONCEPT CODE:
[001] XSS Vulnerability
Post a message (Anonymous is OK) containing the following message body:
#
Some test text for fun <script>alert(document.cookie);</script> some more
text
goes here...
#
This causes the rendering of the script upon reading (loading) of the page
by
the next user. The JS is rendered FIRST, before the user can perform a
cancel
action.
[002] HTML/Code Injection Flaw
Perform a search with the keywords:
<iframe src="http://somesite.com">
Upon rendering of the search results the remote site or any local page
will be
rendered in the IFRAME. I am sure other JS exploits are renderable as well,
especially the IE 5-6 crash exploits (null objects) and remote JS cookie
snarfing.
CREDITS:
The vulnerabilities outlined in this advisory and accompanying sample code
have
been discovered by morning_wood (morning_wood (at) thepub.co (dot) za [email concealed]) of Morning
Wood,Inc
(http://take.candyfrom.us/).
At the time of discovery this vulnerability was considered 0-day as the
related
testing was performed "on the fly" as a curiosity test. The above exploits
have
not been circulated through the underground community and are presented
here as
a PUBLIC DISCLOSURE.
REFERENCES:
None.
ABOUT:
Frame4 Security Systems is a new security partner, empowering clients with
the
necessary knowledge and products to protect and secure their computer
systems.
Headquartered in The Netherlands, Frame4 can be reached at +31(0)172-
515901 or
on the Web at http://www.frame4.com/.
DISCLAIMER:
This advisory is a Frame4 Security Systems ("Frame4") publication, all
rights
reserved (c) 2003. You may (re-)distribute the text as long as the content
is
not changed in any way and with this header text intact. If you want to
serve
this paper on your web site/FTP/Newsgroup/etc., we encourage you to do so,
as
long as no changes are made without the prior permission of the author(s),
no
fees are charged and proper credit is given.
IMPORTANT -- THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY. To the
maximum
extent permitted by applicable law, in no event shall Frame4 Security
Systems
be liable for any damages whatsoever, (including, without limitation,
damages
for loss of any business profits, business interruption, loss of any
business
information, or other pecuniary loss) arising out of the use, or inability
to
use any software, and/or procedures outlined in this document, even if
Frame4
Security Systems has been advised of the possibility of such damage(s).
There
are NO warranties with regard to this information.
This advisory is the property of Frame4 Security Systems, all rights
reserved.
Copyright (c) 1999-2003 Frame4 Security Systems -- http://www.frame4.com/
========================================================================
===
====
[ reply ]