Friday, May 29, 2009

Vulnerability in JForum

Today, I've found a potential vulnerability in JForum for satyam which is a Persistent XSS attack and here it goes the description,

I've created a new topic with Subject "@script@Alert('Testing')@/script@" and submitted the topic. Once it's submitted, it'll be listed in the forum topics.
Now I navigated to the forum's topic list and I clicked on the topic which has the subject"@script@Alert('Testing')@/script@", and it din't execute the script, why beacuse they have encoded this HTML, So I thought JForum for satyam is not vulnerable, but I just wanted to test it further and clicked on "post reply" for this topic, then the cript executed, I was kind of shocked how come JForum has not fixed this bug till I tested on their site(JForum site) and was not able to replicate it.Finally I thought it may just a patch with which satyam is not updated with to fix the potentially harmful bug which even may crash client's System...........!!!!!

Disclaimer: Content above is nothing to do any illegal or malicious activity but was just to test the security of the Apps and to share the knowledge with my blog viewers how serious a XSS attack can be.

1 comment:

Anonymous said...
This comment has been removed by a blog administrator.