The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Cross Site Scripting Vulnerabilities in FuseTalk
------------------------------------------------------------------------
SUMMARY
<http://www.fusetalk.com/> FuseTalk is a web based discussion forum
system.
FuseTalk suffers from multiple cross site scripting vulnerabilities.
DETAILS
Vulnerable Systems:
* FuseTalk Enterprise Edition Version 2.0. Other versions might be also
affected.
In some forums (often older version) when viewing the profile of users, if
scripting code is passed into: tombstone.cfm?ProfileID the text is once
again unfiltered and the script with be executed.
Example:
http://example.com/forum/tombstone.cfm?ProfileID=<script>alert(document.cookie)</script>
Data sent to usersearchresults.cfm does not appear to be filtered. Passing
malicious script code to the search parameter will be run unfiltered. That
error lies within the 'keyword' parameter. The issue can be recreated with
the url:
http://example.com/forum/usersearchresults.cfm?keyword=<script>alert(document.cookie)</script>&FT_ACTION=SearchUsers
The filtering script for the 'img src=' tag doesn't filter " (double
quote) if preceded by a ?. This leads to cross site scripting since the
<img src=" tag can be closed by a target url with a user injected ", thus
allowing an attacker to use an instruction like: onmouseover to inject
java script code.
Vendor Status:
The vendor was contacted last month and responded that:
"all of these issues below were fixed in "Security Patches" released
04/21/2004 & 05/04/2004. All customers were notified of these and were to
apply them. The site you are visiting obviously has not applied these
patches and should. If you do not the person in charge of that site you
visit you might want them to email me sales [AT] fusetalk.com and I can
let them know where to go and get those patches."
However, it appears a large number of sites running FuseTalk are
vulnerable and even the Demo Enterprise Edition on their homepage is
currently vulnerable. It would appear these patches are not making their
way around very well and/or do not fix all the below listed problems.
ADDITIONAL INFORMATION
The information has been provided by <mailto:root@spiffomatic64.com>
Spiffomatic64 and <mailto:steven@lovebug.org> Steven.
The original article can be found at:
<http://www.lovebug.org/fusetalk_advisory.txt>
http://www.lovebug.org/fusetalk_advisory.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
