From s_alper@hotmail.com Wed Mar 20 04:13:41 2002 From: Ahmet Sabri ALPER To: bugtraq@securityfocus.com Date: 16 Mar 2002 23:10:13 -0000 Subject: [ARL02-A09] Board-TNK Cross Site Scripting Vulnerability +/--------\-------- ALPER Research Labs ------/--------/+ +/---------\------- Security Advisory -----/---------/+ +/----------\------ ID: ARL02-A09 ----/----------/+ +/-----------\----- salper@olympos.org ---/-----------/+ Advisory Information -------------------- Name : Board-TNK Cross Site Scripting Vulnerability Software Package : Board-TNK Vendor Homepage : http://www.linux-sottises.net/ Vulnerable Versions: v1.3.0 and probably others Platforms : Linux Vulnerability Type : Input Validation Error Vendor Contacted : 15/03/2002 Vendor Replied : 15/03/2002 Prior Problems : N/A Current Version : v1.3.1 (immune) Summary ------- Board-TNK is a discussion board written in PHP (versions for both PHP3 and PHP4 are available). It has support for multiple forums, use of cookies for showing users new messages since their last visit and storing their information to simplify new posts, a choice of smiley icons for each message, ability to use a subset of HTML within the messages, multiple language support (English, French, German, Dutch, Italian, Turkish, and Spanish), and a full admin page that allows you to create and delete forums, entire threads, or answers from a thread. It is possible to prefix the MySQL tables if only one database is allowed on an ISP server. A Cross Site Scripting vulnerability exists in Board-TNK forums. This would allow a remote attacker to send information to victims from untrusted web servers, and make it look as if the information came from the legitimate server. Details ------- The URL's and the user input seem to be filtered pretty good. But I guess that the coders have missed a point. The "WEB" input when replying or creating topics, is not filtered enough. So a Cross Site Scripting vulnerability exists in Board-TNK forums. Example input for the "WEB" input <script>alert("ALPERz was here!")</script> After submitting this information, whenever anyone browses the page where the topic is, the script will take effect. Solution -------- The vendor replied to my mail and released a new version which is immune to this vulnerability very quickly (on the same day :}) You may download the new version or use the method suggested by me, and approved by the vendor, if you have made any modifications to the board. Strip HTML tags, and possibly other malicious code within "xx_board.php". Where xx is the specified forum language (Eg: en for English). Default for that is "board.php". I suggest the following as a workaround; At the beginning of "board.php" add the lines below; # Patch Start $web_post= strip_tags ($web_post); # Patch End Credits ------- Discovered on 15, March, 2002 by Ahmet Sabri ALPER salper@olympos.org http://www.olympos.org References ---------- Product Web Page: http://www.linux-sottises.net/