CVE-2019-18873 in FUDForum
Summary
by MITRE
FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. The problem is in admsession.php and admuser.php.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/23/2025
FUDForum version 3.0.9 contains a critical stored cross-site scripting vulnerability that resides in the User-Agent HTTP header processing within the administrative control panel. This vulnerability is categorized under CWE-079 - Cross-site Scripting and represents a severe security flaw that can be exploited to achieve full system compromise. The vulnerability specifically affects the admsession.php and admuser.php files which handle administrative user sessions and user management respectively. When an authenticated attacker crafts a malicious User-Agent header and submits it through a GET request, the payload gets stored within the application's database or session storage mechanism, making it persistent across multiple requests.
The exploitation chain begins with an attacker obtaining valid user credentials to access the administrative control panel. Once inside the "User Manager" section where user information is displayed, the stored payload executes automatically when the administrator views the compromised user records. This execution context provides attackers with the ability to write PHP files directly to the web root directory, effectively enabling remote code execution capabilities. The vulnerability's impact extends beyond simple XSS as it allows for complete system compromise through the ability to execute arbitrary code on the server. The attack vector leverages the principle of least privilege by utilizing legitimate administrative access to execute malicious code, which aligns with ATT&CK technique T1059.007 - Command and Scripting Interpreter: PowerShell and T1078 - Valid Accounts as part of the broader attack lifecycle.
The technical flaw stems from inadequate input sanitization and output encoding within the administrative user management components. The application fails to properly escape or validate User-Agent header values before storing them in a context where they will later be rendered to administrative users. This lack of proper input validation creates a persistent XSS vulnerability that can be triggered whenever administrative users access the user information display pages. The vulnerability is particularly dangerous because it requires minimal privileges to exploit, as the attacker only needs a valid user account with sufficient permissions to access the administrative panel. The stored nature of the vulnerability means that even if the initial request is made from a different session, the payload will execute whenever any administrator views the affected user data, creating a persistent threat vector that can be exploited multiple times. The flaw demonstrates a classic lack of proper security controls in the application's data handling pipeline, where user-supplied data is not properly sanitized before being stored in a context that will be rendered to privileged users, making it a prime example of how insufficient input validation can lead to critical security breaches.
Mitigation strategies should focus on immediate input validation and output encoding within the affected files. All user-supplied data, particularly HTTP headers, must be properly sanitized before being stored or rendered in administrative contexts. The application should implement strict input validation for User-Agent headers and apply proper HTML escaping when displaying user information in the administrative panel. Organizations should also consider implementing Content Security Policy headers to limit the execution of inline scripts and reduce the impact of potential XSS attacks. Additionally, regular security audits should be conducted to identify similar vulnerabilities in other parts of the application, and privileged access should be monitored closely to detect potential compromise. The vulnerability highlights the importance of principle of least privilege and proper access controls, as even a single compromised user account with administrative permissions can lead to full system compromise. Regular updates and patches should be applied immediately, and the application should be reviewed for similar input handling issues that could create additional attack vectors.