linux, säkerhet

100158 2003-05-02  00:46  /173 rader/ Frame4 Security Systems <webmaster@frame4.com>
Importerad: 2003-05-02  00:46  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4743>
Ärende: Multiple Vulnerabilities in Splatt Forum 4.0
------------------------------------------------------------


===========================================================================
====
FRAME4 SECURITY ADVISORY [FSA-2003:001]
---------------------------------------------------------------------------
----

PRODUCT            : Splatt Forum 4.0 for PHP-Nuke 6.0
PRODUCT/VENDOR URL : http://www.splatt.it/
TYPE               : Vulnerability / Exploit
IMPACT             : Medium
SUMMARY            : Multiple Vulnerabilities in Splatt Forum 4.0
DISCOVERY DATE     : 26/03/2003
PUBLIC RELEASE     : 01/05/2003
AFFECTED VERSION(S): Splatt Forum 4.0 (as of discovery date)
FIXED VERSION(S)   : Splatt Forum 4.0 Fix 1 (not tested)
VENDOR NOTIFIED    : No

---------------------------------------------------------------------------
----

BACKGROUNDER:

Splatt Forum is a MySQL driven, PHP-based forum system that fully 
integrates in
to PHP-Nuke, the popular CMS system by Fransisco Burzi.

INTRODUCTION:

We have discovered two vulnerabilities in the vanilla version of
Splatt  Forum 4.0 for PHP-Nuke 6.0; an XSS Vulnerability and an
HTML/Code Injection Flaw.

The vulnerabilities and accompanying exploits were discovered and
executed  upon only one web site, and verified by Webmaster
(webmaster@frame4.com).

ADVISORY URL:

http://frame4.com/php/modules.php?
name=News&file=categories&op=newindex&catid=4
http://www.frame4.com/content/advisories/FSA-2003-001.txt

VENDOR CONTACT:

None. We didn't contact the vendor as 'Splatt' has a very bad track
record  when it comes to replying to security reports and fixing
issues. The web site  of the vendor is almost entirely in Italian
which makes vendor contact difficult.

VULNERABILITY DESCRIPTION:

Please refer to the 'Technical Description' section below, for full 
description
of the problem(s).

VULNERABLE APPLICATION(S)/PACKAGE(S)/VERSION(S):

"Out-of-the-box" version of Splatt Forum 4.0 for PHP-Nuke 6.0.

Although this is the ONLY version tested for the moment, it is highly 
possible
that other versions are open to similar attacks.

SOLUTION/VENDOR INFORMATION/WORKAROUND:

There are various possible solutions going around at the forums at
splatt.it, though the forums are in Italian and the English
translations are often  poor.

Recently, Splatt Forum 4.0 Fix 1 has been released; but this is yet 
untested.

TECHNICAL DESCRIPTION - EXPLOIT/CONCEPT CODE:

[001] XSS Vulnerability

Post a message (Anonymous is OK) containing the following message
body:

#
Some test text for fun <script>alert(document.cookie);</script> some more 
text
goes here...
#

This causes the rendering of the script upon reading (loading) of the
page  by the next user. The JS is rendered FIRST, before the user can
perform a  cancel action.

[002] HTML/Code Injection Flaw

Perform a search with the keywords:

<iframe src="http://somesite.com">

Upon rendering of the search results the remote site or any local
page  will be rendered in the IFRAME. I am sure other JS exploits are
renderable as well, especially the IE 5-6 crash exploits (null
objects) and remote JS cookie snarfing.

CREDITS:

The vulnerabilities outlined in this advisory and accompanying sample
code  have been discovered by morning_wood
(morning_wood@thepub.co.za) of Morning  Wood,Inc
(http://take.candyfrom.us/).

At the time of discovery this vulnerability was considered 0-day as
the  related testing was performed "on the fly" as a curiosity
test. The above exploits  have not been circulated through the
underground community and are presented  here as a PUBLIC DISCLOSURE.

REFERENCES:

None.

ABOUT:

Frame4 Security Systems is a new security partner, empowering clients
with  the necessary knowledge and products to protect and secure
their computer  systems.

Headquartered in The Netherlands, Frame4 can be reached at +31(0)172-
515901 or
on the Web at http://www.frame4.com/.

DISCLAIMER:

This advisory is a Frame4 Security Systems ("Frame4") publication,
all  rights reserved (c) 2003. You may (re-)distribute the text as
long as the content  is not changed in any way and with this header
text intact. If you want to  serve this paper on your web
site/FTP/Newsgroup/etc., we encourage you to do so,  as long as no
changes are made without the prior permission of the author(s),  no
fees are charged and proper credit is given.

IMPORTANT -- THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY. To the
maximum extent permitted by applicable law, in no event shall Frame4
Security  Systems be liable for any damages whatsoever, (including,
without limitation,  damages for loss of any business profits,
business interruption, loss of any  business information, or other
pecuniary loss) arising out of the use, or inability  to use any
software, and/or procedures outlined in this document, even if
Frame4 Security Systems has been advised of the possibility of such
damage(s).  There are NO warranties with regard to this information.

This advisory is the property of Frame4 Security Systems, all rights 
reserved.
Copyright (c) 1999-2003 Frame4 Security Systems -- http://www.frame4.com/
===========================================================================
====
(100158) /Frame4 Security Systems <webmaster@frame4.com>/(Ombruten)