FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » Cross-site scripting attacks
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
Cross-site scripting attacks [message #167755] Thu, 13 September 2012 10:46 Go to next message
mikrochip   Germany
Messages: 2
Registered: September 2012
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
Hi!

I've found a critical bug in FUDforum that can be used for a Cross-site scripting attack.
An attacker could generate a special prepared data-URL which contains a HTML document with java script code and put a link to it into a forum message. This code will be executed in the context of the forum domain if any user clicks at the link.
So with Ajax the script can read out the SQ or other data and do anything.

All versions of FUDforum (at least since 2.7.7) are affected. I think earlier versions than 2.7.7 will also be affected, but I did not try it out.
I think you should really disable data-URLs in hyperlinks.
Re: FUDforum 3.0.4.1 released [message #167767 is a reply to message #167755] Sat, 15 September 2012 09:04 Go to previous messageGo to next message
StephenKing is currently offline  StephenKing   Germany
Messages: 10
Registered: August 2012
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
You've already heard of responsible disclosure?
Re: Cross-site scripting attacks [message #167768 is a reply to message #167767] Sun, 16 September 2012 12:33 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3632
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
Details would be great!
If you don't want to respond to my private mail, please post it here so it can be validated and fixed.
Aw: Re: FUDforum 3.0.4.1 released [message #167769 is a reply to message #167767] Sun, 16 September 2012 19:22 Go to previous messageGo to next message
mikrochip   Germany
Messages: 2
Registered: September 2012
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
StephenKing schrieb am Sat, 15 September 2012 09:04
You've already heard of responsible disclosure?

I'm sorry. It's the first vulnerability I ever found and I did not really know how to react. I was a little bit nerveous and didn't think enough about my practice.
Re: Aw: Re: FUDforum 3.0.4.1 released [message #167772 is a reply to message #167769] Tue, 18 September 2012 01:47 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3632
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
I received the info form mikrochip and are busy preparing a patch.
Re: Aw: Re: FUDforum 3.0.4.1 released [message #167786 is a reply to message #167772] Sat, 22 September 2012 10:52 Go to previous message
naudefj is currently offline  naudefj   South Africa
Messages: 3632
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
Fixed @ http://fudforum.svn.sourceforge.net/fudforum/?rev=5545&view=rev
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: Error with Googlebot / Invalid links
Next Topic: Syntax error in code generated after adding {IF} to template
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Dec 17 18:31:38 EST 2017

Total time taken to generate the page: 0.00787 seconds