Web forum admins urged to update to latest version

Codoforum, the PHP forum software used by thousands of websites, has been patched against a stored cross-site scripting (XSS) vulnerability that could lead to admin accounts being compromised.

Left unpatched, the flaw could allow an attacker to inject an XSS payload into a forum’s user registration page, according to security researchers ‘Prasanth c41m’ and Vyshnav Vizz, who discovered the issue.

The XSS payload could be triggered each time a forum admin visited the ‘manage user’ section, allowing an attacker to steal their session cookie and assume full administrative rights.

An updated version of the software – Codoforum 4.8.4 – was released last week, complete with a fix to the XSS flaw.

Commercial Codoforum customers can rest easy, developer Codologic told The Daily Swig, since “their version isn’t affected by the same vulnerability due to an additional security plugin”.

Mumbai-based Codologic, which thanked the researchers for their coordinated disclosure on its own message board, estimates that Codoforum is used by thousands of sites.

The researchers have posted further technical details on Medium.

RELATED Open forum: Unpatched MyBB sites vulnerable to remote takeover