SecurityReason - eForum 0.4 XSS

Advisory Text :

eForum v0.4 - NON-PERSISTENT XSS

by Omni

1) Infos

---------

Date : 2008-03-05
Product : eForum
Version : v 0.4
Vendor : http://www.phpbrasil.com/scripts/script.php/id/169

Vendor Status :
2008-03-18 Not Informed!
2008-03-18 Published!

Description :

eForum is an easy-to-install discussion board that doesn't require any
database. Features include admin area to delete topics with session
authentication, a search system (more stable this version), configurable
layout using css file.

Moderator can be notified of new posts on the forum. It has threaded view.
Ubbcode-style supported. Multiple languages supported: Portuguese, English,
German and Danish. UPDATE 0.4: post preview, better ubbcode support, better
javascript,nother small changes, some bugs fixed, italian and turkish
translations.

Dork : Powered by .. could be used.

Source : omnipresent - omni - http://omni.playhack.org

E-mail : omnipresent[at]NOSPAMemail[dot]it -
omni[at]NOSPAMplayhack[dot]net

2) Security Issues

-------------------

--- [ NON-PERSISTENT XSS ] ---

===============================================

Input passed to "busca" and "link" parameters in busca.php are not properly
sanitized before being returned to the

user's browser.

This can be exploited to execute arbitrary HTML/script code.

--- [ PoC ] ---

===============

http://localhost/eForum/busca.php

use the input box and search what you want. (js)

http://localhost/eForum/busca.php?link=%3Cscript%3Ealert(1)%3C/script%3E
&busca=%3Cscript%3Ealert(2)%3C/script%3E

http://localhost/eForum/busca.php?link=%3Cscript%3Ealert(1)%3C/script%3E

--- [ Patch ] ---

===============

- Edit the source code.