SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Board-tnk Vendors:   Linux-Sottises
Board-tnk Bulletin Board Forum Input Validation Bugs Let Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1003885
SecurityTracker URL:  http://securitytracker.com/id/1003885
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 22 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.3.0
Description:   ALPER Research Labs issued an advisory warning of a cross-site scripting flaw in the 'board-tnk' bulletin board forum software.

It is reported that the "WEB" input field is not properly filtered. A remote user can submit the following type of information to this field:

<script>alert("ALPERz was here!")</script>

Then, when another user views the web page, the code will be executed. The code will appear to originate from the site running board-tnk and will run in the security context of that site. The code will be able to access the user's cookies associated with the site (if any).

Impact:   A remote user can conduct cross-site scripting attacks against board-tnk users to obtain their authentication cookies and other sensitive information.
Solution:   The vendor has released a fixed version (1.3.1), available at:

http://www.linux-sottises.net/software.php

Vendor URL:  www.linux-sottises.net/software.php (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [ARL02-A09] Board-TNK Cross Site Scripting Vulnerability




+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\-------  Security Advisory  -----/---------/+
+/----------\------    ID: ARL02-A09    ----/----------/+
+/-----------\----- salper@olympos.org  ---/-----------/+


Advisory Information
--------------------
Name               : Board-TNK Cross Site Scripting 
Vulnerability
Software Package   : Board-TNK
Vendor Homepage    : http://www.linux-sottises.net/
Vulnerable Versions: v1.3.0 and probably others
Platforms          : Linux
Vulnerability Type : Input Validation Error
Vendor Contacted   : 15/03/2002
Vendor Replied     : 15/03/2002
Prior Problems     : N/A
Current Version    : v1.3.1 (immune)


Summary
-------
Board-TNK is a discussion board written in PHP 
(versions for both PHP3 and PHP4 are available). 
It has support for multiple forums, use of cookies 
for showing users new messages since their last 
visit and storing their information to simplify 
new posts, a choice of smiley icons for each 
message, ability to use a subset of HTML within 
the messages, multiple language support (English, 
French, German, Dutch, Italian, Turkish, and 
Spanish), and a full admin page that allows you to 
create and delete forums, entire threads, or answers 
from a thread. It is possible to prefix the MySQL 
tables if only one database is allowed on an ISP 
server. 

A Cross Site Scripting vulnerability exists in 
Board-TNK forums. This would allow a remote 
attacker to send information to victims from untrusted 
web servers, and make it look as if the information 
came from the legitimate server.


Details
-------
The URL's and the user input seem to be filtered 
pretty good. But I guess that the coders have missed 
a point. The "WEB" input when replying or creating 
topics, is not filtered enough. So a Cross Site 
Scripting vulnerability exists in Board-TNK forums.


Example input for the "WEB" input
<script>alert("ALPERz was here!")</script>

After submitting this information, whenever anyone 
browses the page where the topic is, the script will 
take effect.


Solution
--------
The vendor replied to my mail and released a new 
version which is immune to this vulnerability very 
quickly (on the same day :})

You may download the new version or use the 
method suggested by me, and approved by the 
vendor, if you have made any modifications to the 
board.

Strip HTML tags, and possibly other malicious code 
within "xx_board.php". Where xx is the specified 
forum language (Eg: en for English). Default for that 
is "board.php".

I suggest the following as a workaround;
At the beginning of "board.php" add the lines below;

# Patch Start
$web_post= strip_tags ($web_post);
# Patch End


Credits
-------
Discovered on 15, March, 2002 by 
Ahmet Sabri ALPER 
salper@olympos.org
http://www.olympos.org


References
----------
Product Web Page: http://www.linux-sottises.net/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC