Phorum 5.2.19 - Reflected XSS and Open Redirect

["Curesec Research Team (CRT)" <crt () curesec com>]

Phorum 5.2.19: Reflected XSS (IIS only) and Open Redirect
Security Advisory – Curesec Research Team
1. Introduction

Affected Product:       Phorum 5.2.19   
Fixed in:               5.2.20
Fixed Version Link:     http://www.phorum.org/downloads/phorum_5_2_20.zip       
Vendor Contact:         webmaster () phorum org 
Vulnerability Type:     Reflected XSS (IIS only) and Open Redirect      
Remote Exploitable:     Yes     
Reported to vendor:     07/14/2015      
Disclosed to public:    08/17/2015      
Release mode:           Coordinated release     
CVE:    n/a     
Google Dork:            "This forum is powered by Phorum" (About 431,000 results)       
Credits                 Tim Coen of Curesec GmbH        

2. Vulnerability Description

Phorum 5.2.19 is vulnerable to reflected cross site scripting when
running on Microsoft-IIS. With this, it is possible to inject and
execute arbitrary JavaScript code. This can for example be used by an
attacker to inject a JavaScript keylogger, bypass CSRF protection, or
perform phishing attacks.

The attack can be exploited by getting the victim to click a link or
visit an attacker controlled website.

Additionally, there is an open redirect vulnerability, which may aid
attackers in phishing attacks. This vulnerability is not limited to
Microsoft-IIS.

3. Proof of Concept

The XSS injection takes place into the phorum_redirect_to GET argument:

http://localhost/phorum-5.2.19/redirect.php?phorum_redirect_to=http://google.com";><script>alert(1)</script>

The open redirect is possible via the same GET argument as the XSS
vulnerability:

http://localhost/phorum-5.2.19/redirect.php?phorum_redirect_to=http://google.com

4. Code

XSS:

                common.php:1990
            if ( stristr( $_SERVER['SERVER_SOFTWARE'], "Microsoft-IIS" ) ) {
                // the ugly IIS-hack to avoid crashing IIS
                print "<html><head>\n<title>Redirecting ...</title>\n";
                print "<meta http-equiv=\"refresh\" content=\"0;
URL=$redir_url\">";
                print "</head>\n";
                print "<body><a href=\"$redir_url\">Redirecting
...</a></body>\n";
                print "</html>";
            }
        }

Open Redirect:

                redirect.php:29
                        if (isset($PHORUM["args"]["phorum_redirect_to"])) {
                                $redir = urldecode($PHORUM["args"]["phorum_redirect_to"]);
                                phorum_redirect_by_url($redir);
                        }

                common.php:1973
                        function phorum_redirect_by_url( $redir_url )
                        {
                        [... (no sanitation) ... ]
                        header( "Location: $redir_url" );
                        [...]
                        }

4. Solution

To mitigate this issue please upgrade at least to version 5.2.20:

http://www.phorum.org/downloads/phorum_5_2_20.zip

Please note that a newer version might already be available.

5. Report Timeline

07/14/2015      Informed Vendor about Issue
07/19/2015      Vendor releases Version 5.2.20
08/17/2015      Disclosed to public

6. Blog Reference

http://blog.curesec.com/article/blog/Phorum-5219-Reflected-XSS-IIS-only-and-Open-Redirect-45.html


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/