===============================================================================
FRAME4 SECURITY ADVISORY [FSA-2003:001]
-------------------------------------------------------------------------------
PRODUCT : Splatt Forum 4.0 for PHP-Nuke 6.0
PRODUCT/VENDOR URL : http://www.splatt.it/
TYPE : Vulnerability / Exploit
IMPACT : Medium
SUMMARY : Multiple Vulnerabilities in Splatt Forum 4.0
DISCOVERY DATE : 26/03/2003
PUBLIC RELEASE : 01/05/2003
AFFECTED VERSION(S): Splatt Forum 4.0 (as of discovery date)
FIXED VERSION(S) : Splatt Forum 4.0 Fix 1 (not tested)
VENDOR NOTIFIED : No
-------------------------------------------------------------------------------
BACKGROUNDER:
Splatt Forum is a MySQL driven, PHP-based forum system that fully integrates in
to PHP-Nuke, the popular CMS system by Fransisco Burzi.
INTRODUCTION:
We have discovered two vulnerabilities in the vanilla version of Splatt Forum
4.0 for PHP-Nuke 6.0; an XSS Vulnerability and an HTML/Code Injection Flaw.
The vulnerabilities and accompanying exploits were discovered and executed upon
only one web site, and verified by Webmaster (webmaster@frame4.com).
ADVISORY URL:
http://frame4.com/php/modules.php?name=News&file=categories&op=newindex&catid=4
http://www.frame4.com/content/advisories/FSA-2003-001.txt
VENDOR CONTACT:
None. We didn't contact the vendor as 'Splatt' has a very bad track record when
it comes to replying to security reports and fixing issues. The web site of the
vendor is almost entirely in Italian which makes vendor contact difficult.
VULNERABILITY DESCRIPTION:
Please refer to the 'Technical Description' section below, for full description
of the problem(s).
VULNERABLE APPLICATION(S)/PACKAGE(S)/VERSION(S):
"Out-of-the-box" version of Splatt Forum 4.0 for PHP-Nuke 6.0.
Although this is the ONLY version tested for the moment, it is highly possible
that other versions are open to similar attacks.
SOLUTION/VENDOR INFORMATION/WORKAROUND:
There are various possible solutions going around at the forums at splatt.it,
though the forums are in Italian and the English translations are often poor.
Recently, Splatt Forum 4.0 Fix 1 has been released; but this is yet untested.
TECHNICAL DESCRIPTION - EXPLOIT/CONCEPT CODE:
[001] XSS Vulnerability
Post a message (Anonymous is OK) containing the following message body:
#
Some test text for fun some more text
goes here...
#
This causes the rendering of the script upon reading (loading) of the page by
the next user. The JS is rendered FIRST, before the user can perform a cancel
action.
[002] HTML/Code Injection Flaw
Perform a search with the keywords: