Westpoint Security Advisory
---------------------------

Title:        Phorum 5.2.10 Cross-Site Scripting Vulnerability in control.php
Risk Rating:  Medium
Platforms:    PHP (Windows and UNIX)
Author:       Andrew Paterson <andrew@westpoint.ltd.uk>
Date:         06 Mar 2009
Advisory ID#: wp-09-0001
URL:          http://www.westpoint.ltd.uk/advisories/wp-09-0001.txt
CVE:          number requested from cve@mitre.org on 05 Mar 2009

Overview
--------

Phorum 5.2.10 contains a flaw in control.php which exposes users with login
credentials to cross-site scripting exploits.


Details
-------

http://{phorum_location}/control.php is vulnerable to cross-site scripting via
the "panel" parameter, as demonstrated by the following URL:

http://{phorum_location}/control.php?0,panel="><img src=x onerror="alert('Vulnerable');"/>

This exploit requires a registered user to be logged in, otherwise the
control.php script is not accessible. 


Impact
------

This flaw allows a potential attacker to inject malicious JavaScript or HTML
code, which will run at the same trust level as the server. This may enable them
to steal session cookies, form details, or other information.

Any exploit using this flaw would require the victim to be a user with login
credentials on a Phorum web site.


Timeline
--------

06 Mar 2009 (17:19) Phorum authors informed of the vulnerability
06 Mar 2009 (17:40) Fix applied by Phorum developer brian (see http://www.phorum.org/changelog-5.txt)
22 May 2009    Phorum 5.2.11 released, with fix applied: http://www.phorum.org/phorum5/read.php?64,138376,138376