FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.
Home » FUDforum Development » Bug Reports » Cross site scripting problem in admin login page
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
icon5.gif  Cross site scripting problem in admin login page [message #7492] Tue, 26 November 2002 12:05 Go to next message
Jimvin is currently offline  Jimvin   United States
Messages: 2
Registered: November 2002
Karma: 0
Junior Member
Hi,
I was checking out FUDForum for a friend who has recently installed it on his home PC and I have found a XSS problem in one of the pages. I went to the URL http://www.friendsserver.com/adm/index.php which take you to an login page.

If a login fails, the username tried is displayed in the textbox of the resulting page. Adding some special chars means that HTML, javascript etc. can be added to the page.

Example: The following string will display a javascript popup containing the user's cookie.

user" size=25> <script>alert(document.cookie)</script> <


The risk is mitigated to some degree in that certain special characters such as ' and " are escaped.Appologies if this has already been identified.

Cheers,
Jimvin

Report message to a moderator

Re: Cross site scripting problem in admin login page [message #7517 is a reply to message #7492] Fri, 29 November 2002 14:53 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Not true, before the login is displayed it is passed via
htmlspecialchars(stripslashes()), meaning that any tricks like JavaScript or HTML will be ignored.

FUDforum Core Developer

Report message to a moderator

icon5.gif  Re: Cross site scripting problem in admin login page [message #7524 is a reply to message #7517] Fri, 29 November 2002 19:43 Go to previous messageGo to next message
Jimvin is currently offline  Jimvin   United Kingdom
Messages: 2
Registered: November 2002
Karma: 0
Junior Member
I beg to differ...

Try visiting the URL on this site:

http://fud.prohost.org/forum/adm

Enter the following code into the Login box:

user" size=25> <script>alert(document.cookie)</script> <

You should see a popup containing your cookie.

Regards,
Jimvin

Report message to a moderator

Re: Cross site scripting problem in admin login page [message #7528 is a reply to message #7524] Sat, 30 November 2002 17:16 Go to previous messageGo to next message
zapal   Poland
Messages: 68
Registered: October 2002
Location: Poland
Karma: 0
Member
Hi

Did what Jimvin said and here's what happened:
I got an alert box containg values of frm_referer_id and ud_session_1010519835. When I closed this box, the page reloaded and told me sth like this:
Login Into the Forum
No such user
Login: [] <" size=25>
Password: []

Where "[]" is the inputbox.

Report message to a moderator

Re: Cross site scripting problem in admin login page [message #7531 is a reply to message #7528] Sat, 30 November 2002 18:01 Go to previous message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Fixed in CVS.

FUDforum Core Developer

Report message to a moderator

  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: FUD Forum does not run well over SSL
Next Topic: Member search disabled
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Sep 20 19:19:59 GMT 2024

Total time taken to generate the page: 0.05255 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.1.3.
Copyright ©2001-2023 FUDforum Bulletin Board Software