|
txtForum: Script Injection Vulnerability |
|
|
|
|
Sunday, 12 March 2006 |
txtForum: Script Injection Vulnerability
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0603-004, March 9, 2006
===========================================================
Affected applications
----------------------
txtForum (http://sourceforge.net/projects/txtforum1)
Versions 1.0.4-dev and prior.
Description
------------
There is an include statement in the file common.php on line 46 that
makes use of the SKIN constant, which was previously defined via the
$skin variable. Under the following conditions, an attacker can inject
arbitrary PHP script into the application:
- register_globals has to be active
- remote file inclusions have to be allowed
All the attacker has to do is find a path through the program that
doesnt initialize the $skin variable. The attacker does not require access
to an account in the forum. Here is an example for an attack page:
This leads to execution of the code in
http://evilserver.com/header.tpl. There might be further possibilities for exploits (similar include
statements can also be found on lines 53 and 61).
Solution
---------
There is no solution to this issue yet.
Timeline:
March 2, 2006:
Vulnerability reported to and acknowledged by the developer
(I.Konforti).
A fix is not planned.
March 9, 2006:
Advisory submission.
References
-----------
http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-004.txt
Nenad Jovanovic
Secure Systems Lab
Technical University of Vienna
www.seclab.tuwien.ac.at
|