Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Ulf Harnhammar (ulfh_at_update.uu.se)
Date: Tue Aug 13 2002 - 17:54:50 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    L-Forum XSS and upload spoofing

    PROGRAM: L-Forum
    VENDOR: Leszek Krupinski <leszekphp.net>
    HOMEPAGE: http://l-forum.x-php.net/
    VULNERABLE VERSIONS: 2.4.0, possibly others
    IMMUNE VERSIONS: none, but an official patch is available for
                     some issues
    SEVERITY: high


    "L-Forum is [a] universal Web forum written in PHP. It has support
    for threading, multiple languages, and the PostgreSQL/MySQL database
    server. You can also easily change its design, or even change design
    on-the-fly with themes support."

    (direct quote from the program's project page at Freshmeat)

    L-Forum is published under the terms of the GNU General Public


    L-Forum has got two different XSS (Cross-Site Scripting) holes,
    allowing attackers to add JavaScript code to messages that they post
    in a forum. It has also got an upload spoofing hole, indirectly
    allowing an attacker to download any file on the server that the
    httpd daemon can read.


    1) If "Enable HTML in messages" is set to on in L-Forum
    Administration, the users are exposed to several XSS (Cross-Site
    Scripting) holes every time they read a message. If it is on, all
    parts of a message (the From, E-Mail, Subject and Body fields)
    may contain all kinds of HTML code, including script tags that
    execute some JavaScript code, or even worse, meta http-equiv tags
    that redirect you to Gobbles' homepage.

    2) When "Enable HTML in messages" is set to off in L-Forum
    Administration, HTML code is only removed from the Body, and not
    from the From, E-mail and Subject fields.

    3) The file upload function allows uploads to occur, without checking
    if the four global variables with information about an upload
    (attachment, attachment_name, attachment_size and attachment_type)
    really were set by uploading a file or if they were normal POST
    data. This means that it can be fooled into treating any file that
    the web server can read (like /etc/passwd) as the uploaded file.


    The vendor was contacted on the 9th of July. He replied very quickly,
    and posted an official patch that fixes problems number 2 and 3,
    but not number 1, on the program's homepage. There is no official
    new release yet, but if you apply the patch and turn off "Enable
    HTML in messages" in L-Forum Administration, you are immune to all
    three holes.

    // Ulf Harnhammar