SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   PostBoard Vendors:   [Multiple Authors/Vendors]
PostBoard Add-on Module for PostNuke Allows Cross-Site Scripting Attacks and Denial of Service Attacks
SecurityTracker Alert ID:  1004077
SecurityTracker URL:  http://securitytracker.com/id/1004077
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 17 2002
Impact:   Denial of service via network, Disclosure of authentication information, Execution of arbitrary code via network, User access via network

Version(s): 2.0, 2.0.1
Description:   Several vulnerabilities were reported in the PostBoard is an add-on module for PostNuke. Remote users can conduct cross-site scripting attacks against PostBoard users and can also cause denial of service conditions.

A remote user can reportedly inject javascript into bbcode IMG tags, as shown below:

[IMG]javascript:alert('give me cookies');[/IMG]

Then, when another PostBoard user views the message containing this image tag, the javascript will be executed by that user's browser. The code will originate from the site running PostBoard and will run in the security context of that site. As a result, the code can access the target user's cookies associated with that site.

Javascript can also reportedly be entered within a new topic title when a new topic is created.

The software is also affected by nested 'bbcode' encoding vulnerabilities that were recently reported for a different product (phpBB). A remote user can insert nested bbcode into a message that will cause the host's CPU usage to increase significantly and may cause database corruption.

Impact:   A remote user can conduct cross-site scripting attacks to steal the cookies of PostBoard users or to cause the target (victim) PostBoard user to take actions on behalf of the remote user. A remote user with an account on the system can also create denial of service conditions on the server.
Solution:   The vendor is reportedly working on a fix.
Vendor URL:  www.nukeaddon.com/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  Multiple Vulnerabilities in PostBoard


Multiple Vulnerabilities in PostBoard
-------------------------------------

PostBoard is an add-on module for the PostNuke content
management system which implements a forum system. 
The current version of PostBoard is 2.0.1 and can be
found at:
www.nukeaddon.com or ftp.dndresources.com.

I have discovered 3 problems with it. One of which was
originally discovered in another product by someone
else. These all exist in the 2.0/2.0.1 version.

Descriptions
------------

1) bbcode IMG tag cross-site scripting

PostBoard uses the common bbcode markup system which
uses tags similar to html. The [IMG] tag will accept 
any source including javascript. For example:

[IMG]javascript:alert('give me cookies');[/IMG]

The above javascript will execute on the victims 
machine upon viewing a message that contains it.

Solution: Only allow URLs that start with 'http://'


2) Topic title cross-site scripting

When adding a new topic to a forum the user enters a
title for their new topic. The topic title can contain
any valid HTML code including <script> tags. 
For example you can create a topic with the following
title and the script will execute when someone views 
the list of topics in a forum:

<script>alert('give me cookies');</script>

Solution: Do not allow unsafe HTML in topic titles.
There are functions available to do this in 
the PostNuke API (i.e. pnVarPrepHTMLDisplay).


3) bbcode encoding problems

A recent advisory from Whitecell exposed 
vulnerabilities in phpBB's handling of nested 
bbcode tags which can lead to database 
corruption and high CPU usage.

PostBoard appears to use the same code as phpBB for 
encoding bbcode tags to HTML. It would be fair to 
assume that PostBoard suffers from the same 
problems as phpBB in this regard.

The original advisory by Whitecell can be found here:

http://online.securityfocus.com/archive/1/265798

A solution is provided in the above advisory.

Note: I have not tested this, but as the code in 
PostBoard appears to have been pasted from phpBB it's 
a fairly safe bet the problem exists.

Vendor Status
-------------

Vendor was notified of Whitecell advisory on the 7th
of April.

Vendor was notified of problems 1 & 2 on the 8th of
April.

A reply was received on 9th stating that fixes would 
be available in the next version. No date was given.

I sent the vendor another email on the 13th of April
to follow up on progress as there had been a bug fix
release which did not contain fixes for any of the
above problems.

On the 14th of April someone left a message on the
PostBoard support forum which sounded like someone had
been attacked with one of these problems. He included
some detail as to how it was done. I notified the
vendor that I would be posting an advisory.

On the 16th of April another person reported that
they had had their forums redirected to another
site, probably via the same method (putting a 
javascript redirect into a topic title). Still no
response from vendor.


Workarounds
-----------

The only pratical workaround for these problems is to
remove PostBoard from your site, or deny access to it
until a fix is released. Or try and patch it yourself.


Disclaimer
----------

I do not work for, nor am I affiliated with any 
security related organisation, especially any that 
might have the same initials as my nickname/handle :)

Oh - and a big shout out to the NZ2600 crew, hi guys
(and gals)! ;)

Thanks!
gcsb.



__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC