FuseTalk Grants Remote Users Access to 'banning' Template
|
|
SecurityTracker Alert ID: 1010080 |
|
SecurityTracker URL: http://securitytracker.com/id/1010080
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 6 2004
|
Impact:
Disclosure of user information, Modification of user information
|
Exploit Included: Yes
|
Version(s): 4.0
|
Description:
An input validation vulnerability was reported in FuseTalk. A remote user can access an administrative template.
Stuart Jamieson reported that unpatched releases of version 4.0 allow a remote user to access the 'banning.cfm' template and ban other users.
It is also reported that in version 2.0 (and possibly other versions), a remote authenticated user can pass parameters to the 'adduser.cfm' administration template via an HTTP GET statement. A remote user can create a URL that, when loaded by an authenticated target administrator, will cause a new account to be created. A demonstration exploit URL is provided:
http://[target]/admin/adduser.cfm?FTVAR_FIRSTNAMEFRM=God&FTVAR_LASTNAMEFRM=God
&FTVAR_EMAILADDRESSFRM=Attacker@acker.com&FTVAR_USERNAMEFRM=attacker&FTVAR_PASSWORDFRM=coolpass
&FTVAR_PASSWORD2FRM=coolpass&FTVAR_USERFORUMSFRM=0&FTVAR_USERTYPEFRM=g
&FTVAR_USERLEVELFRM=0&FTVAR_STATUSFRM=1&FTVAR_CITYFRM=&FTVAR_STATEFRM=70
&FTVAR_COUNTRYFRM=36&FTVAR_SCRIPTRUN=self.close%28%29%3B&FTVAR_RETURNERROR=Yes
&FT_ACTION=adduser
The report indicates that this URL can be embedded within an '[img]' image tag so that when an authenticated target administrator views the image, the URL will be executed by the target user's browser.
|
Impact:
A remote user can gain access to the 'banning.cfm' administrative template.
|
Solution:
The report suggests that a patch is available from the vendor to correct the 'banning.cfm' access flaw.
|
Vendor URL: www.fusetalk.com/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: 5 May 2004 12:15:06 -0000
Subject: Fuse Talk Vunerabilities
|
As well as well known XSS vunerabilities the latest version 4.0 seems to have some other issues.
Unpatched releases of V4.0 allow the user to access the Template banning.cfm without any administrative privleages. All users of the
software should check with fusetalk.com for the latest security patches to prevent this being misused.
Access to this template allows any user to ban any other users and seems to be particularly vunerable. Fortunately it does not affect
the administration templates, merely the moderation ones so the chances of an attacker gaining higher levels of access seem unlikely.
Another issue seems to exist which I have only so far tested on Version 2.0 and am unsure if this also occurs in V3-4, it appears
that within the administration templates adduser.cfm allows parameters to be passed by a get statement rather than a post statement.
This potential vunerability could allow a hostile to create a new account by tricking some other person with moderator powers. Although
it may seem obvious that a link to
http://www.victim.com/admin/adduser.cfm?FTVAR_FIRSTNAMEFRM=God&FTVAR_LASTNAMEFRM=God&FTVAR_EMAILADDRESSFRM=Attacker@acker.com&FTVAR_USERNAMEFRM=attacker&FTVAR_PASSWORDFRM=coolpass&FTVAR_PASSWORD2FRM=coolpass&FTVAR_USERFORUMSFRM=0&FTVAR_USERTYPEFRM
=g&FTVAR_USERLEVELFRM=0&FTVAR_STATUSFRM=1&FTVAR_CITYFRM=&FTVAR_STATEFRM=70&FTVAR_COUNTRYFRM=36&FTVAR_SCRIPTRUN=self.close%28%29%3B&FTVAR_RETURNERROR=Yes&FT_ACTION=adduser
would create a new account, if the adress is hidden within an image tag [img][/img] then the event will fire the creation of the account
when the administrators web browser attempts to download the image.
This could be extended by the variable FTVAR_SCRIPTRUN=self.close which even in not creating an account would be capable running malicious
javascript when an administrative user attempted to follow the link.
Since fusetalk relies nearly entirely on POST based data the best fix for this is to restrict posting of data by a GET statement.
|
|
