Phorum 5.2.19: Reflected XSS (IIS only) and Open Redirect

Phorum 5.2.19: Reflected XSS (IIS only) and Open Redirect

Date: 2015-08-17 09:33:26
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Phorum 5.2.19
Fixed in: 5.2.20
Fixed Version Link: http://www.phorum.org/downloads/phorum_5_2_20.zip
Vendor Contact: webmaster@phorum.org
Vulnerability Type: Reflected XSS (IIS only) and Open Redirect
Remote Exploitable: Yes
Reported to vendor: 07/14/2015
Disclosed to public: 08/17/2015
Release mode: Coordinated release
CVE: n/a
Google Dork: "This forum is powered by Phorum" (About 431,000 results)
Credits Tim Coen of Curesec GmbH

2. Vulnerability Description

Phorum 5.2.19 is vulnerable to reflected cross site scripting when running on Microsoft-IIS. With this, it is possible to inject and execute arbitrary JavaScript code. This can for example be used by an attacker to inject a JavaScript keylogger, bypass CSRF protection, or perform phishing attacks.

The attack can be exploited by getting the victim to click a link or visit an attacker controlled website.

Additionally, there is an open redirect vulnerability, which may aid attackers in phishing attacks. This vulnerability is not limited to Microsoft-IIS.

3. Proof of Concept

The XSS injection takes place into the phorum_redirect_to GET argument:

http://localhost/phorum-5.2.19/redirect.php?phorum_redirect_to=http://google.com"><script>alert(1)</script>

The open redirect is possible via the same GET argument as the XSS vulnerability:

http://localhost/phorum-5.2.19/redirect.php?phorum_redirect_to=http://google.com

4. Code

XSS:

common.php:1990 if ( stristr( $_SERVER['SERVER_SOFTWARE'], "Microsoft-IIS" ) ) { // the ugly IIS-hack to avoid crashing IIS print "<html><head>\n<title>Redirecting ...</title>\n"; print "<meta http-equiv=\"refresh\" content=\"0; URL=$redir_url\">"; print "</head>\n"; print "<body><a href=\"$redir_url\">Redirecting ...</a></body>\n"; print "</html>"; } }

Open Redirect:

redirect.php:29 if (isset($PHORUM["args"]["phorum_redirect_to"])) { $redir = urldecode($PHORUM["args"]["phorum_redirect_to"]); phorum_redirect_by_url($redir); } common.php:1973 function phorum_redirect_by_url( $redir_url ) { [... (no sanitation) ... ] header( "Location: $redir_url" ); [...] }

4. Solution

To mitigate this issue please upgrade at least to version 5.2.20:

http://www.phorum.org/downloads/phorum_5_2_20.zip

Please note that a newer version might already be available.

5. Report Timeline

07/14/2015 Informed Vendor about Issue
07/19/2015 Vendor releases Version 5.2.20
08/17/2015 Disclosed to public