Vulnerabilities > CVE-2004-2242 - Cross-Site Scripting vulnerability in Phorum 5.0.7Beta

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
phorum
nessus
exploit available
NVD
Published: 2004-12-31
Updated: 2017-07-11

Summary

Cross-site scripting (XSS) vulnerability in search.php in Phorum, possibly 5.0.7 beta and earlier, allows remote attackers to inject arbitrary HTML or web script via the subject parameter.

Vulnerable Configurations

Part Description Count
Application
Phorum
1

Exploit-Db

descriptionPhorum 5.0.7 Search Script Cross-Site Scripting Vulnerability. CVE-2004-2242. Webapps exploit for php platform
idEDB-ID:24331
last seen2016-02-02
modified2004-07-28
published2004-07-28
reportervampz
sourcehttps://www.exploit-db.com/download/24331/
titlePhorum 5.0.7 - Search Script Cross-Site Scripting Vulnerability

Nessus

NASL familyCGI abuses : XSS
NASL idPHORUM_SEARCH_XSS.NASL
descriptionThe remote version of Phorum contains a script called
last seen2020-06-01
modified2020-06-02
plugin id14185
published2004-08-02
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/14185
titlePhorum search.php subject Parameter XSS
code
#
# (C) Tenable Network Security, Inc.
#



include("compat.inc");

if(description)
{
 script_id(14185);
 script_version ("1.19");

 script_cve_id("CVE-2004-2242");
 script_bugtraq_id(10822);

 script_name(english:"Phorum search.php subject Parameter XSS");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that suffers from a cross-
site scripting flaw." );
 script_set_attribute(attribute:"description", value:
"The remote version of Phorum contains a script called 'search.php'
that is vulnerable to a cross-site scripting attack.  An attacker may
be able to exploit this problem to steal the authentication
credentials of third-party users." );
 script_set_attribute(attribute:"see_also", value:"http://securitytracker.com/alerts/2004/Jul/1010787.html" );
 script_set_attribute(attribute:"see_also", value:"https://www.phorum.org/cvs-changelog-5.txt" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to 5.0.7a.beta or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/08/02");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/07/27");
 script_cvs_date("Date: 2018/11/15 20:50:20");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:phorum:phorum");
 script_end_attributes();

 script_summary(english:"Checks for the presence of an XSS bug in Phorum");
 script_category(ACT_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses : XSS");
 script_dependencies("phorum_detect.nasl", "cross_site_scripting.nasl");
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_ports("Services/www", 80);
 script_require_keys("www/PHP");
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);
if(!can_host_php(port:port))exit(0);
if (  get_kb_item(string("www/", port, "/generic_xss")) ) exit(0);


# Test an install.
install = get_kb_item(string("www/", port, "/phorum"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
 loc = matches[2];

 w = http_send_recv3(method:"GET",item:string(loc, "/search.php?12,search=vamp,page=1,match_type=ALL,match_dates=00,match_forum=ALL ,body=,author=,subject=<script>foo</script>"), port:port);
 if (isnull(w)) exit(0);
 r = w[2];
 if("<script>foo</script>" >< r)
 {
   security_warning(port);
   set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
 }
}

References