Title: Multiple Vendor CGI Script Forced URL Request Vulnerability
Severity: HIGH
Description:
Many web-based applications, (ie, threaded discussion forums)contain security vulnerabilities which can improperly allow an attacker to force other, possibly authenticated users, to submit arbitrary method GET requests.
Many such CGI applications will accept user input in the form of HTML-embedded references to images and other web content. For example, forum scripts may allow users to include images in discussion threads, by supplying a URL pointing to the appropriate image file.
It has been discovered that in many cases, users can supply hostile querystrings concealed within a posted image reference, such as
[img]http://example.com/forums/newreply.cgi?action=newthread&subject=subj&bod
y=arbitrary+attacker-supplied+text&submit=go[/img]
When, for example, a browser attempts to retrieve a posted image, the SRC URL contained within the <img> tags will be submitted to the vulnerable CGI script, seemingly by the target user. If the exploited user is already authenticated, for instance as a forum administrator, the attacker-supplied CGI query can be carried out with the target user's apparent permission.
This could allow an attacker to force a user viewing the image to unwittingly perform functions such as updating the target user's profile, sending attacker-supplied text in forged email messages or submitting posts to the affected forum.
Note: This is a broad conceptual vulnerability. It is likely that many different CGI applications are vulnerable to this type of problem. The packages listed as being not vulnerable or vulnerable are those which have been tested. Forthcoming updates will include applications that are found to be vulnerable or not vulnerable.
Affected Products:
- Infopop Ultimate Bulletin Board 6.0.0
- Infopop Ultimate Bulletin Board 6.0.1
- Infopop Ultimate Bulletin Board 6.0.2
- Infopop Ultimate Bulletin Board 6.0.3
- VBulletin VBulletin 1.0.1 lite
- VBulletin VBulletin 2.0.0 rc 2
- WWWThreads WWWThreads 5.4.0
- ezboard ezboard 6.2.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
