Full Disclosure – Multiple XSS holes in FuseTalk Forum Software
The Test Manager
***EDIT***
I received notification from FuseTalk that the below issues should now be fixed on their site. This should mean that patch should be rolled out to customer sites in the near future.
With this in mind I have agreed to their request to remove references to the names of their customers from my post.
***END EDIT***
Fuse Talk is a forum software widely used on the web.
Yesterday I found multiple XSS holes while browsing the ******* Forum site.
******* uses FuseTalk as it’s forum software.
Now there are a few strange things here.
Firstly ******* is a security firm and you would have thought that they would have picked this up, or at least carried out a review of any software before adding it to their site. The other strange issue is that the software vendor FuseTalk is not even running the latest version of the software on their own site.
Anyway see below for the disclosure.
XSS vulnerability in FuseTalk Forums
————————————-
Vulnerability ID: Month Of Full Disclosure 1 = MOFD1
————————————
Product: FuseTalk
————————————-
Vendor: FuseTalk Inc
( http://www.fusetalk.com/Company/AboutFuseTalk/tabid/111/Default.aspx )
————————————-
Vulnerable Version: 4.0 Which is current version and Probably Prior Versions
————————————-
Vendor Notification: 02 August 2010
Public Disclosure: 02 August 2010
————————————-
Vulnerability Type: XSS (Cross Site Scripting)
————————————-
Status: Public Disclosure – Not Fixed, Vendor Alerted,
Awaiting Vendor Response
————————————-
Risk level: Medium
————————————-
Credit: Martin Hall – TheTestManager
Site = http://www.thetestmanager.com
twitter = @thetestmanager
Vulnerability Details:
There exists multiple XSS errors in FuseTalk Forums.
These errors exist even months/years after previous XSS HTML /SQL injection
errors were reported to FuseTalk.
It is time for a full and through source code review guys.
————————————-
Potential Users Affected = minimum = 250,000 users
******* = 5664 Users
FuseTalk forums = 11357 Users
*** = 103488 users
*** **** = 43767 users
******.com = 79718 users
**********.com = 31396 users
********.com = 23033 users
————————————-
Dork to find Vulnerable Sites (1)
fusetalk “users are registered”
Dork to find Vulnerable Sites (2)
© 1999-2010 FuseTalk Inc. All rights reserved.
————————————-
Sample URL’s
http://forums.fusetalk.com/usersearchresults.cfm?keyword=ttm–” ><script>alert(‘TheTestManager.com- Month of Full disclosure’)</script>&FT_ACTION=SearchUsers – (Tested in IE8)
http://supportforums.*******.com/categories.aspx?catid=76&FTVAR_SORT=date&FTVAR_SORTORDER=0017ttm-” style=x:expression(alert(“TheTestManager”)) ttm=” (Tested in IE7)
————————————-
Solution:
Currently I’m not aware of any vendor-supplied patches or other solutions.
If you are aware of more recent information related to this issue please notify me at: martin@hb-help.com
Users are recommended to use NoScript or other XSS mitigating software
Admins are advised to change forum software, or put pressure on FuseTalk to carry out a full source code review.
————————————-
Other Miscellany Information
http://www.fusetalk.com/ProductsServices/FuseTalk/WhosUsingFuseTalk/tabid/72/Default.aspx
Sample URL’s
Arrived from the Ligatt post, nice catch
just wanted to point out youve left in the name of the company mentioned in the above post (“….uses FuseTalk as it’s forum software.”)
Whoops . thanks for pointing that out.
Now amended.
Martin H
The Test Manager