Content-Type: text/plain; charset=US-ASCII
BLUE MOON SECURITY ADVISORY 2009-08
:Title: Multiple Vulnerabilities in PyForum
:Reporter: Hoang Quoc Thinh and Blue Moon Consulting
:Products: PyForum v1.0.3
:Fixed in: --
PyForum is a 100% python-based message board system based in the excellent web2py framework.
We have discovered cross site scripting and cross site request forgery vulnerabilities in PyForum. The first allows arbitrary script to run when a post is viewed. The second allows attackers to submit forms (such as changing password) automatically without user's knowledge.
XSS vulnerability lies in the BBcode parsing in module ``models.parser``. The ``img`` and ``url`` tags do not sanitize inputs and hence are susceptible to script injection.
CSRF vulnerability lies in the design of this web application. Forms do not have secure cookies and may be automatically submitted on behalf of the user.
These bugs are rated at critical because they can be easily exploited and cause lost of integrity.
These bugs may exist in older versions and in zForum, from which pyForum derives, too.
There is no workaround.
There is no fix at the moment.
Blue Moon Consulting adapts `RFPolicy v2.0