
Phorum 5.2.19: Reflected XSS (IIS only) and Open Redirect
Date: 2015-08-17 09:33:261. Introduction
Affected Product: | Phorum 5.2.19 |
Fixed in: | 5.2.20 |
Fixed Version Link: | http://www.phorum.org/downloads/phorum_5_2_20.zip |
Vendor Contact: | webmaster@phorum.org |
Vulnerability Type: | Reflected XSS (IIS only) and Open Redirect |
Remote Exploitable: | Yes |
Reported to vendor: | 07/14/2015 |
Disclosed to public: | 08/17/2015 |
Release mode: | Coordinated release |
CVE: | n/a |
Google Dork: | "This forum is powered by Phorum" (About 431,000 results) |
Credits | Tim Coen of Curesec GmbH |
2. Vulnerability Description
Phorum 5.2.19 is vulnerable to reflected cross site scripting when running on Microsoft-IIS. With this, it is possible to inject and execute arbitrary JavaScript code. This can for example be used by an attacker to inject a JavaScript keylogger, bypass CSRF protection, or perform phishing attacks.
The attack can be exploited by getting the victim to click a link or visit an attacker controlled website.
Additionally, there is an open redirect vulnerability, which may aid attackers in phishing attacks. This vulnerability is not limited to Microsoft-IIS.
3. Proof of Concept
The XSS injection takes place into the phorum_redirect_to GET argument:
The open redirect is possible via the same GET argument as the XSS vulnerability:
4. Code
XSS:
Open Redirect:
4. Solution
To mitigate this issue please upgrade at least to version 5.2.20:
http://www.phorum.org/downloads/phorum_5_2_20.zip
Please note that a newer version might already be available.
5. Report Timeline
07/14/2015 | Informed Vendor about Issue |
07/19/2015 | Vendor releases Version 5.2.20 |
08/17/2015 | Disclosed to public |