mvnForum 1.1 Cross Site Scripting May 06 2008 08:19PM
decoder-bugtraq own-hero net

Hash: SHA1

mvnForum Cross Site Scripting Vulnerability

Original release date: 2008-04-27

Last revised: 2008-05-06

Latest version: http://users.own-hero.net/~decoder/advisories/mvnforum-jsxss.txt

Source: Christian Holler <http://users.own-hero.net/~decoder/>

Systems Affected:

mvnForum 1.1 (http://www.mvnforum.com/) - A Java J2EE/Jsp/Servlet forum

Severity: Moderate


An attacker who has the rights to start a new thread or to reply

to an existing one, is able to include javascript code using the topic,

that is executed when other users use the quick reply button shown

for every post.

This point of injection is possible because the topic text is part

of an "onclick" event used for the quick reply function and the

software only escapes characters that are typical for HTML cross

site script attacks. In this case, the single quote character is not


I. Description

The list of standard functions for threads includes a typical feature

called "quick reply". For user convenience, each post has a button that

jumps to the form field allowing to send a quick reply, whilst changing

the topic text of the reply at the top of this form. This is accomplished

using javascript and the topic that is replied to. The source code for

this button looks like this:

<a href="#message" onclick="QuickReply('24','Re: Some thread topic');">

<img src="/forum/mvnplugin/mvnforum/images/icon/button_quick_reply.gif"

border="0" alt="Quick reply to this post" title="Quick reply to this post" /></a>

Because single quotes are not escaped in the topic context, it is possible

to break out of the second argument and execute arbitrary javascript code

in the client's browser.

II. Impact

Any user that is allowed to post anywhere can use this flaw to steal

sensitive information such as cookies from other users. Especially

because the forum uses simple reusable MD5 hashes in their cookies,

this attack makes it possible to gain unauthorized access to other

user accounts.

However, this attack relies on the user to click the quick reply

button and should therefore be considered only a moderate risk.

III. Proof of concept

Creating a new thread or replying to a thread with the following subject

will demonstrate the problem after hitting the "quick reply" button above

the post text.

Test', alert('XSS ALERT') , '

IV. Solution

At the time of writing, a fix is available in CVS.



2008-04-27: mvnForum authors informed

2008-05-01: Fix available in CVS

2008-05-06: Vulnerability notice published


Version: GnuPG v2.0.6 (GNU/Linux)





[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus