ECHU Alert #3 : Meunity 1.1 script injection vulnerability

From: dasat_private
Date: Mon Oct 14 2002 - 12:54:15 PDT

Next message: Curator at Security Digest Archive: "Researcher seeking 'phage' and other security mailing list archives"

Previous message: Daniel Ahlberg: "GLSA: net-snmp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----------------------------------------------
| Meunity 1.1 script injection vulnerability |
----------------------------------------------


PROGRAM: Meunity Community System
VULNERABLE VERSIONS: all
IMMUNE VERSIONS: none
SEVERITY: really high


Tested version
==============
Meunity Community System 1.1 (stable) Released with IE 5/5.5/6 and AOL.


Description
============ 
"Meunity is a sophisticated Web-based community system that uses PHP. It is object oriented, so it is easily extendible. Its database abstraction layer allows it to be compatible with multiple databases." - sourceforge.net
In fact Meunity is a quick and simple CMS with a few options, in this options there's a forum.

There's a vulnerability in the forum that allow a badly disposed member to execute code. The problem appears when a user post in the forum, a vulnerability exists in this CMS that allow a badly disposed member to perform a typical IMG attack against visitors :

<IMG SRC="javascript:alert('unsecure')"> 


The problem
=========== 
A badly disposed member can post a topic containing malicious code and as soon as somebody see this topic the code will be executed on his workstation.


Vendors status
==============
I contacted Zack Coburn (Meunity developper) via sourceforge.net one week ago but I had no answer back.


Solution
========
There's no secure release of Meunity Community System, so the unique solution is, at this moment, to disallow posting in Meunity forum to avoid the problem. Hope that Zack Coburn will release a new immune version as soon as possible.


Links
=====
http://meunity.sourceforge.net/
http://sourceforge.net/projects/meunity/


This vulnerability's orginal paper can be found here: http://www.echu.org/modules/news/article.php?storyid=132


David Suzanne (aka dAs)
dasat_private
http://www.echu.org 


-----------------------------------------------------------------
ECHU.ORG is not responsible for the misuse of the information we 
provide through our security advisories. These advisories are a 
service to the professional security community. In no event shall 
ECHU.ORG be liable for any consequences whatsoever arising out of 
or in connection with the use or spread of this information.
-----------------------------------------------------------------

Next message: Curator at Security Digest Archive: "Researcher seeking 'phage' and other security mailing list archives"
Previous message: Daniel Ahlberg: "GLSA: net-snmp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 14:39:23 PDT