XMB Forum is "a free web-based bulletin board system written in PHP with a MySQL backend". Multiple cross site scripting vulnerabilities have been found in the XMB Forum, these vulnerabilities would allow attackers to insert malicious HTML and JavaScript code into existing web pages.

Frame4 Security Advisory [FSA-2003:001]

Product : Splatt Forum 4.0 for PHP-Nuke 6.0
Product/Vendor URI : http://www.splatt.it/
Type: Vulnetablility / Exploit
Impact : Medium
Summary : Multiple Vulnerabilities in Splatt Forum 4.0
Disovery Date : 26/03/2003
Public Release : 01/05/2003
Affected Versions(S): Splatt Forum 4.0 (as of discovery date)
Fixed Versions(S) : Splatt Forum 4.0 Fix 1 (not tested)
Vendor Notified : No

April 18, 2003

Snitz Forums 2000 contains an input validation error, which can be exploited by malicious users to conduct Cross-Site Scripting attacks against other users.

The function "ReplaceImageTags()" in "inc_func_common.asp" doesn't validate user input in image tags properly. A malicious person can exploit this to insert script code into an image tag by including a horizontal tab char " " (ASCII 0x09) into the script command. Script code will be executed in the user's browser session, when the entry is viewed.

ProBoards is a popular online message board service. An XSS vulnerability allowed users to inject JavaScript into an [img] tag before it was fixed on November the 28th.

vBulletin Forum Fails to Filter Scripting Code From Certain HTML Tags, Permitting Cross-Site Scripting Attacks

An input validation vulnerability was reported in vBulletin. A remote user can conduct cross-site scripting attacks against vBulletin users.

It is reported that vBulletin does not properly validate user-supplied input in forums that allow HTML tags. A remote user can, for example, insert scripting code into the HTML <B> bold tag.

A remote user can post a message containing specially crafted HTML so that, when the message is viewed by a target user, arbitrary scripting code will be executed by the target user's browser. The code will originate from the site running vBulletin and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

From: Hai Nam Luke
<[email protected]>

Software: phpBB Advanced Quick Reply Mod

I've found a security hole in this sofware (Code Injection). You can download this software at http://phpbbhacks.com/viewhack.php?id=586 Hackers can exploit this Mod to inject some shell code to hack your forum, your website or your server (local exploit) because Code Injection is a dangerous technique of hackers.

Exploit: (quick_reply.php)

CERT Advisory CA-2002-21 Vulnerability in PHP

Original release date: July 22, 2002 Last revised: -- Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

* Systems running PHP versions 4.2.0 or 4.2.1

Overview

A vulnerability has been discovered in PHP. This vulnerability could be used by a remote attacker to execute arbitrary code or crash PHP and/or the web server.

I. Description

PHP is a popular scripting language in widespread use. For more information about PHP, see

http://www.php.net/manual/en/faq.general.php

The vulnerability occurs in the portion of PHP code responsible for handling file uploads, specifically multipart/form-data. By sending a specially crafted POST request to the web server, an attacker can corrupt the internal data structures used by PHP. Specifically, an intruder can cause an improperly initialized memory structure to be freed. In most cases, an intruder can use this flaw to crash PHP or the web server. Under some circumstances, an intruder may be able to take advantage of this flaw to execute arbitrary code with the privileges of the web server.

You may be aware that freeing memory at inappropriate times in some implementations of malloc and free does not usually result in the execution of arbitrary code. However, because PHP utilizes its own memory management system, the implementation of malloc and free is irrelevant to this problem.

The PHP Classifieds is a classified program for use with unlimited categories and ads. A security vulnerability in the product allows attackers to cause a cross-site scripting vulnerability.

It is reported possible for attackers to construct a URL that will cause scripting code to be embedded in error pages.

YaBB fails to check URLs for the presence of script commands when generating error pages, allowing attacker supplied code to execute. If such a URL is sent to a YaBB user, upon accessing the link, the attacker-supplied code will run in the context of the site running the vulnerable software.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of YaBB.

This patch adds filters to protect against XSS in URLs. The following is filtered:

HTML Tags: script, iframe, object, applet, meta, style, form, img

In addition, the URL filters out any instance of quote marks.

Please note, this filtering code is only called on when the mainfile.php is included in your code. Example: modules.php includes mainfile.php whenever it calls any modules you have on the site. Hence, the URLs are filtered.

Why should you install this patch? To prevent users from crafting malicious URLs which could steal your members passwords, not to mention yours!

As a sample to see what happens when a quote is entered into the URL (include the quote in your copy/paste to the URL Address Bar):

http://www.computercops.biz/modules.php?name=Search"