[Full-disclosure] [BMSA-2009-08] Multiple Vulnerabilities in PyForum

Mon, 14 Dec 2009 19:26:57 -0800 

BLUE MOON SECURITY ADVISORY 2009-08
===================================


:Title: Multiple Vulnerabilities in PyForum
:Severity: Critical
:Reporter: Hoang Quoc Thinh and Blue Moon Consulting
:Products: PyForum v1.0.3
:Fixed in: --


Description
-----------

PyForum is a 100% python-based message board system based in the excellent 
web2py framework.

We have discovered cross site scripting and cross site request forgery 
vulnerabilities in PyForum. The first allows arbitrary script to run when a 
post is viewed. The second allows attackers to submit forms (such as changing 
password) automatically without user's knowledge.

XSS vulnerability lies in the BBcode parsing in module ``models.parser``. The 
``img`` and ``url`` tags do not sanitize inputs and hence are susceptible to 
script injection.

CSRF vulnerability lies in the design of this web application. Forms do not 
have secure cookies and may be automatically submitted on behalf of the user.

These bugs are rated at critical because they can be easily exploited and cause 
lost of integrity.

These bugs may exist in older versions and in zForum, from which pyForum 
derives, too.

Workaround
----------

There is no workaround.

Fix
---

There is no fix at the moment.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 
<http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

  December 05, 2009: Notice sent to Julio Flores Schwarzbeck (techfuel.net)

  December 09, 2009: Reminder sent to Julio Flores Schwarzbeck

:Vendor response:

  --

:Further communication:

  --

:Public disclosure: December 15, 2009

:Exploit code:

  No exploit code required.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty 
of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness for 
a particular purpose. Your use of the information on the advisory or materials 
linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd 
reserves the right to change or update this notice at any time.

Attachment: pgppyadiGuhuk.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to