Home page logo
/

bugtraq logo Bugtraq mailing list archives

[ARL02-A09] Board-TNK Cross Site Scripting Vulnerability
From: Ahmet Sabri ALPER <s_alper () hotmail com>
Date: 16 Mar 2002 23:10:13 -0000



+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\-------  Security Advisory  -----/---------/+
+/----------\------    ID: ARL02-A09    ----/----------/+
+/-----------\----- salper () olympos org  ---/-----------/+


Advisory Information
--------------------
Name               : Board-TNK Cross Site Scripting 
Vulnerability
Software Package   : Board-TNK
Vendor Homepage    : http://www.linux-sottises.net/
Vulnerable Versions: v1.3.0 and probably others
Platforms          : Linux
Vulnerability Type : Input Validation Error
Vendor Contacted   : 15/03/2002
Vendor Replied     : 15/03/2002
Prior Problems     : N/A
Current Version    : v1.3.1 (immune)


Summary
-------
Board-TNK is a discussion board written in PHP 
(versions for both PHP3 and PHP4 are available). 
It has support for multiple forums, use of cookies 
for showing users new messages since their last 
visit and storing their information to simplify 
new posts, a choice of smiley icons for each 
message, ability to use a subset of HTML within 
the messages, multiple language support (English, 
French, German, Dutch, Italian, Turkish, and 
Spanish), and a full admin page that allows you to 
create and delete forums, entire threads, or answers 
from a thread. It is possible to prefix the MySQL 
tables if only one database is allowed on an ISP 
server. 

A Cross Site Scripting vulnerability exists in 
Board-TNK forums. This would allow a remote 
attacker to send information to victims from untrusted 
web servers, and make it look as if the information 
came from the legitimate server.


Details
-------
The URL's and the user input seem to be filtered 
pretty good. But I guess that the coders have missed 
a point. The "WEB" input when replying or creating 
topics, is not filtered enough. So a Cross Site 
Scripting vulnerability exists in Board-TNK forums.


Example input for the "WEB" input
&lt;script&gt;alert("ALPERz was here!")&lt;/script&gt;

After submitting this information, whenever anyone 
browses the page where the topic is, the script will 
take effect.


Solution
--------
The vendor replied to my mail and released a new 
version which is immune to this vulnerability very 
quickly (on the same day :})

You may download the new version or use the 
method suggested by me, and approved by the 
vendor, if you have made any modifications to the 
board.

Strip HTML tags, and possibly other malicious code 
within "xx_board.php". Where xx is the specified 
forum language (Eg: en for English). Default for that 
is "board.php".

I suggest the following as a workaround;
At the beginning of "board.php" add the lines below;

# Patch Start
$web_post= strip_tags ($web_post);
# Patch End


Credits
-------
Discovered on 15, March, 2002 by 
Ahmet Sabri ALPER 
salper () olympos org
http://www.olympos.org


References
----------
Product Web Page: http://www.linux-sottises.net/


  By Date           By Thread  

Current thread:
  • [ARL02-A09] Board-TNK Cross Site Scripting Vulnerability Ahmet Sabri ALPER (Mar 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault