PostBoard Add-on Module for PostNuke Allows Cross-Site Scripting Attacks and Denial of Service Attacks
SecurityTracker Alert ID: 1004077|
SecurityTracker URL: http://securitytracker.com/id/1004077
(Links to External Site)
Date: Apr 17 2002
Denial of service via network, Disclosure of authentication information, Execution of arbitrary code via network, User access via network|
Version(s): 2.0, 2.0.1|
Several vulnerabilities were reported in the PostBoard is an add-on module for PostNuke. Remote users can conduct cross-site scripting attacks against PostBoard users and can also cause denial of service conditions.|
The software is also affected by nested 'bbcode' encoding vulnerabilities that were recently reported for a different product (phpBB). A remote user can insert nested bbcode into a message that will cause the host's CPU usage to increase significantly and may cause database corruption.
A remote user can conduct cross-site scripting attacks to steal the cookies of PostBoard users or to cause the target (victim) PostBoard user to take actions on behalf of the remote user. A remote user with an account on the system can also create denial of service conditions on the server.|
The vendor is reportedly working on a fix.|
Vendor URL: www.nukeaddon.com/ (Links to External Site)
Input validation error, State error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
|Underlying OS Comments: PHP-based|
Source Message Contents
Subject: Multiple Vulnerabilities in PostBoard|
Multiple Vulnerabilities in PostBoard
PostBoard is an add-on module for the PostNuke content
management system which implements a forum system.
The current version of PostBoard is 2.0.1 and can be
www.nukeaddon.com or ftp.dndresources.com.
I have discovered 3 problems with it. One of which was
originally discovered in another product by someone
else. These all exist in the 2.0/2.0.1 version.
1) bbcode IMG tag cross-site scripting
PostBoard uses the common bbcode markup system which
uses tags similar to html. The [IMG] tag will accept
machine upon viewing a message that contains it.
Solution: Only allow URLs that start with 'http://'
2) Topic title cross-site scripting
When adding a new topic to a forum the user enters a
title for their new topic. The topic title can contain
any valid HTML code including <script> tags.
For example you can create a topic with the following
title and the script will execute when someone views
the list of topics in a forum:
<script>alert('give me cookies');</script>
Solution: Do not allow unsafe HTML in topic titles.
There are functions available to do this in
the PostNuke API (i.e. pnVarPrepHTMLDisplay).
3) bbcode encoding problems
A recent advisory from Whitecell exposed
vulnerabilities in phpBB's handling of nested
bbcode tags which can lead to database
corruption and high CPU usage.
PostBoard appears to use the same code as phpBB for
encoding bbcode tags to HTML. It would be fair to
assume that PostBoard suffers from the same
problems as phpBB in this regard.
The original advisory by Whitecell can be found here:
A solution is provided in the above advisory.
Note: I have not tested this, but as the code in
PostBoard appears to have been pasted from phpBB it's
a fairly safe bet the problem exists.
Vendor was notified of Whitecell advisory on the 7th
Vendor was notified of problems 1 & 2 on the 8th of
A reply was received on 9th stating that fixes would
be available in the next version. No date was given.
I sent the vendor another email on the 13th of April
to follow up on progress as there had been a bug fix
release which did not contain fixes for any of the
On the 14th of April someone left a message on the
PostBoard support forum which sounded like someone had
been attacked with one of these problems. He included
some detail as to how it was done. I notified the
vendor that I would be posting an advisory.
On the 16th of April another person reported that
they had had their forums redirected to another
site, probably via the same method (putting a
response from vendor.
The only pratical workaround for these problems is to
remove PostBoard from your site, or deny access to it
until a fix is released. Or try and patch it yourself.
I do not work for, nor am I affiliated with any
security related organisation, especially any that
might have the same initials as my nickname/handle :)
Oh - and a big shout out to the NZ2600 crew, hi guys
(and gals)! ;)
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax